Blog Post

Core Infrastructure and Security Blog

9 MIN READ

Active Directory Hardening Series - Part 1 – Disabling NTLMv1

Microsoft

Sep 21, 2023

Active Directory Hardening Series - Part 1 – Disabling NTLMv1 Hello everyone, Jerry Devore back again after to along break from blogging to talk about Active Directory hardening. In my role at...

Updated Jan 15, 2025

Version 18.0

ADHardening

JerryDevore

Microsoft

Joined September 20, 2018

View Profile

Core Infrastructure and Security Blog

Follow this blog board to get notified when there's new activity

Foppi84

Copper Contributor

Oct 23, 2023

Hi JerryDevore

I have a quick question while I am running the following scenario:

client: W10 machine domain joined to domain.local

server: W10 machine domain joined to domain.local

server has a file share to which the client can access to using the FQDN of the server (e.g., \\server.domain.local\test

both client and server are set to "Send NTLMv2 response only. Refuse LM & NTLM", however the domain controller is set to "Send LM & NTLM - use NTLMv2 session security if negotiated"

despite the above config when the client access the file share I can see the event 4624 in the event viewer security section on the server with still NTLM V1 being used

Detailed Authentication Information:

Logon Process: NtLmSsp

Authentication Package: NTLM

Transited Services: -

Package Name (NTLM only): NTLM V1

Key Length: 128

why do you think the NTLM version is still downgraded to NTLM v1?