Overview
A critical vulnerability in Microsoft Active Directory exposes how Group Policy security controls can be bypassed, allowing deprecated NTLMv1 authentication despite restrictions. The flaw stems from misconfigured on-premise applications that override security settings through the Netlogon Remote Protocol
Whom it may concern
- Active Directory administrators
- Security operations teams
- Application security managers
- Compliance officers
Key Findings
- NTLMv1 authentication can bypass Group Policy restrictions through NETLOGON_LOGON_IDENTITY_INFO structure
- Microsoft has officially deprecated NTLMv1 in Windows 11 v24H2 and Windows Server 2025
- Misconfigured applications can override network-wide security policies
Risk Analysis
- Probability: High - Easily exploitable through common misconfigurations
- Impact: Severe - Enables authentication relay attacks
- Attack Surface: All Windows domains using Active Directory
- Exposure Period: Until application configurations are remediated
Action Items
- Enable comprehensive NTLM authentication audit logging
- Monitor for NTLMv1 authentication attempts
- Identify and remediate vulnerable applications
- Implement regular configuration reviews
- Update to latest Windows versions where possible
Sources
- [The Hacker News](https://thehackernews.com/2025/01/researchers-find-exploit-allowing.html)
