嗯,用户让我帮忙总结一篇文章,控制在一百个字以内,而且不需要特定的开头。首先,我得仔细阅读文章内容,抓住主要信息。 文章讲的是设置LMCompatibilityLevel到5并不能完全禁用NTLMv1,因为服务器端的应用可能仍然请求使用NTLMv1。这会导致即使配置了策略,环境里还是有NTLMv1在运行。而且,NTLMv1存在安全风险,比如使用弱加密和易受攻击。 接下来,我需要提取关键点:LMCompatibilityLevel的设置不起作用的原因、NTLMv1的安全隐患、服务器端应用的问题、微软的回应以及应对措施。 然后,我要把这些信息浓缩成简短的句子,确保不超过一百个字。同时,避免使用“文章内容总结”这样的开头。 最后,检查一下是否涵盖了所有重要信息,并且语言简洁明了。 </think> 设置LMCompatibilityLevel至5无法完全禁用NTLMv1,因其依赖服务器端应用请求。NTLMv1存在安全隐患且仍被广泛使用。微软计划未来版本移除NTLMv1。建议启用审计日志以识别风险应用。 2026-3-31 18:49:1 Author: www.reddit.com(查看原文) 阅读量:3 收藏
If you set LmCompatibilityLevel to 5 a couple years back and called it done, there's a good chance NTLMv1 is still running in your environment. Not because the setting doesn't work. Because it doesn't work the way you think it does.
This isn't just aimed at people who never fully switched to Kerberos. It's also for the ones who are pretty sure they did.
For people not deep into auth protocols: NTLMv1 and NTLMv2 are both considered unsafe today. NTLMv1 especially. It uses DES encryption, which with a weak password can be cracked in seconds. And because NTLM never sends your actual password (challenge-response, the hash gets passed not the plaintext), it's also wide open to pass-the-hash. An attacker intercepts the hash and reuses it to authenticate as you. Responder is the tool that makes this trivial and it's been around forever.Silverfort's research puts 64% of authentications in AD environments still on NTLM.
Here's the actual problem with the registry fix. LMCompatibilityLevel is supposed to tell your DCs to reject NTLMv1 traffic and require NTLMv2 or Kerberos instead. Sounds reasonable. But enforcement runs through the Netlogon Remote Protocol (MS-NRPC), the mechanism application servers use to forward auth requests to your domain controllers. There's a structure in that protocol called NETLOGON_LOGON_IDENTITY_INFO with a field called ParameterControl. That field contains a flag that can explicitly request NTLMv1, and your DC will honor it regardless of what Group Policy says.
The policy controls what Windows clients send. It has no authority over what applications request on the server side. Any third party or homegrown app that hasn't been audited can still be sending NTLMv1 traffic and you'd have no idea.
Silverfort built a POC to confirm this. They set the ParameterControl flag in a simulated misconfigured service and forced NTLMv1 authentications through a DC that was configured to block them. Worked. They reported it to Microsoft, Microsoft confirmed it but didn't classify it as a vulnerability. Their response was to announce full removal of NTLMv1 starting with Windows Server 2025 and Windows 11 24H2. So that's something, atleast.
If you're not on those versions, you're still exposed and there's no patch coming.
What you can do right now: turn on NTLM audit logging across your domain. Registry keys exist to capture all NTLM traffic so you can actually see what's authenticating how. From there, map every app using NTLM, whether primary or as a fallback, and look specifically for anything requesting NTLMv1 messages. That's your exposure.
如有侵权请联系:admin#unsafe.sh