Share via


Turn off the AllowNT4Crypto setting on all the affected domain controllers

Why Consider this

Allowing old NT4 cryptography algorithms could be a serious security risk and could be a signal that in the environment there might still be old and unsecure hardware or software being used (like NT4 or older SAMBA SMB clients). All currently supported OS don't even honor this setting anymore.

Watch a Customer Engineer explaining the issue

Context & Best Practices

By default, Windows Server 2008 or later prohibits clients running non-Microsoft operating systems or Windows NT 4.0 operating systems to establish secure channels using weak Windows NT 4.0–style cryptography algorithms. Any security-channel-dependent operation that is started by clients running older versions of the Windows operating system or running non-Microsoft operating systems that do not support strong cryptographic algorithms will fail against a domain controller that runs Windows Server 2008, Windows Server 2008 R2 or Windows Server 2012 with default settings.

Windows Server 2008 R2 and later do not support trust relationships with Windows NT 4.0 even when using the NT4Crypto setting. This limitation includes but is not limited to the following secure channel operations: - Establishing and maintaining trust relationships - Domain Join - Domain authentication - SMB sessions

Suggested Actions

To address this issue, run one of the following actions:

  1. Turn off the AllowNTCrypto setting in the registry.
    1. Log on to the affected domain controllers.
    2. Select Start, select Run, type regedit.exe, and then select OK.
    3. In Registry Editor go to HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Netlogon\
      Parameters
      .
    4. Change the value of AllowNT4Crypto to 0.
    5. Repeat these steps for each affected domain controller.
  2. Turn off the AllowNTCrypto setting in the Default Domain Controllers Policy GPO.
    1. Log on to a Windows Server 2008-based domain controller.
    2. Select Start, select Run, type gpmc.msc, and then select OK.
    3. In the Group Policy Management console, expand Forest: DomainName, expand Domains, expand DomainName, and then expand Domain Controllers.
    4. Right-click Default Domain Controllers Policy, and then select Edit.
    5. In the Group Policy Management Editor console, expand Computer Configuration, expand Policies, expand Administrative Templates, and then expand System.
    6. Select Net Logon.
    7. Double-click Allow cryptography algorithms compatible with Windows NT 4.0.
    8. In the dialog, select Disabled, and then select OK.

Learn More

For more information on this behavior, see The Net Logon service on Windows Server 2008 and on Windows Server 2008 R2 domain controllers does not allow the use of older cryptography algorithms that are compatible with Windows NT 4.0 by default, at https://support.microsoft.com/kb/942564

For more information on modifying the relevant GPO, see Modify Security Policies in Default Domain Controllers Policy, at https://technet.microsoft.com/library/cc731654.aspx.