IRONSMITHINTEL
HIGH
|Auth: network access|Reboot: not required|Est. 10 minutes|✓ ScriptJump to Patch ↓

Disable NTLMv1 to Prevent Weak Authentication Hash Cracking and Relay Attacks

NTLMv1 hashes can be cracked in seconds on modern hardware and are trivially relayed to authenticate to other servers — disabling NTLMv1 forces the use of stronger NTLMv2 or Kerberos.

✓ Tested on WS2022·Rollback included

Published May 7, 2026 · Updated May 7, 2026
Why patchRisk explained in plain English
Worst-case scenarioIf unpatched

An attacker who captures an NTLMv1 challenge-response (via network sniffing, responder tools, or forced authentication) can crack the hash offline in seconds to recover the plaintext password, or relay it to authenticate to other servers without ever knowing the password. NTLMv1 relay attacks are trivial with freely available tools.

How the attack works

NTLMv1 is a 1990s-era authentication protocol that uses a DES-based challenge-response mechanism. DES is completely broken by modern standards — NTLMv1 hashes can be cracked in seconds using rainbow tables or modern GPU hardware. Windows Server allows NTLMv1 by default for backward compatibility with legacy systems. Any server that accepts NTLMv1 authentication is vulnerable to offline hash cracking and NTLM relay attacks.

Am I affected?Quick check

Probably yes if any of these apply:

All Windows Servers
Domain Controllers
Member Servers
Running NTLMv1 permitted (LmCompatibilityLevel < 3)

Affected OS versions

Windows Server 2016Windows Server 2019Windows Server 2022
Fixed inNTLMv1 disabled (LmCompatibilityLevel = 5)
Real-world incidentsWhat we've seen

During a penetration test, the tester runs Responder on the network to capture authentication attempts. Several servers are still configured to use NTLMv1 — the captured hashes are cracked using a rainbow table lookup in under 10 seconds, yielding plaintext passwords for three service accounts, one of which has local admin rights on all servers in the domain.

How to patchRecommended: PowerShell script
Script Package✓ Tested WS2022
v1.0.0

Fix-Windows-Server-Ntlmv1-Protocol-Disabled-Hardening.ps1

3.4 KB
↓ Download Fix

Rollback-Windows-Server-Ntlmv1-Protocol-Disabled-Hardening.ps1

1.9 KB
↓ Download Rollback

SHA-256: dcfa33d08724642cc8b2a37d492484bc71ec21d6cb25db608c13ad62d033c004

Run interactively

.\Fix-Windows-Server-Ntlmv1-Protocol-Disabled-Hardening.ps1

Run silently (SCCM / Intune)

.\Fix-Windows-Server-Ntlmv1-Protocol-Disabled-Hardening.ps1 -Silent -OutputPath C:\Logs

Manual fallback (no script)

10 minutes

Check Current NTLM Authentication Level

$val = Get-ItemProperty -Path 'HKLM:\SYSTEM\CurrentControlSet\Control\Lsa' -Name LmCompatibilityLevel -ErrorAction SilentlyContinue
$level = if ($val.LmCompatibilityLevel) { $val.LmCompatibilityLevel } else { 0 }
Write-Host "Current LmCompatibilityLevel: $level"
if ($level -ge 3) {
    Write-Host "SECURE: NTLMv1 is disabled" -ForegroundColor Green
} else {
    Write-Host "VULNERABLE: NTLMv1 is permitted (level $level)" -ForegroundColor Red
}

Disable NTLMv1

# Level 5: Only NTLMv2 responses. Refuses LM and NTLMv1.
Set-ItemProperty -Path 'HKLM:\SYSTEM\CurrentControlSet\Control\Lsa' -Name LmCompatibilityLevel -Value 5 -Type DWord

Verification

(Get-ItemProperty -Path 'HKLM:\SYSTEM\CurrentControlSet\Control\Lsa').LmCompatibilityLevel
# Must return 5

Notes

    1
    Level 5 is the recommended Microsoft hardening baseline setting
    1
    Can be deployed via Group Policy: Computer Configuration → Windows Settings → Security Settings → Local Policies → Security Options → "Network security: LAN Manager authentication level"
    1
    Test compatibility — legacy systems (pre-2000 era) may not support NTLMv2. Modern Windows always supports NTLMv2.

Verify after patching

Confirm the patched version is running:

# Expect: NTLMv1 disabled (LmCompatibilityLevel = 5) or later
Script details · parameters · exit codes
Script Packagev1.0.0 · Tested WS2022 · Rollback included
✓ Fully tested
Fix Script
Fix-Windows-Server-Ntlmv1-Protocol-Disabled-Hardening.ps1
↓ Download
Rollback Script
Rollback-Windows-Server-Ntlmv1-Protocol-Disabled-Hardening.ps1
↓ Download
SHA-256 verified · Hashes confirmed on download

Tested On

Reboot

No Reboot

SCCM

✓ Compatible

Est. Time

10 minutes

Parameters

-SilentSuppress all console output. Always used when called via API or SCCM.
-OutputPathDirectory for log files and downloaded installers. Defaults to script directory.

How to Run

Interactive — see output in console

.\Fix-Windows-Server-Ntlmv1-Protocol-Disabled-Hardening.ps1

Silent mode — for SCCM / automation

.\Fix-Windows-Server-Ntlmv1-Protocol-Disabled-Hardening.ps1 -Silent

With custom log path

.\Fix-Windows-Server-Ntlmv1-Protocol-Disabled-Hardening.ps1 -OutputPath "C:\Logs"

Exit Codes

CodeMeaning
0Success — fix applied or already patched
1Failure — check log file
3010Success — reboot required to complete
✓ Fully tested

Fix, idempotency, and rollback verified on

⚠ Rollback available. If this fix causes issues, run Rollback-Windows-Server-Ntlmv1-Protocol-Disabled-Hardening.ps1 to restore the previous state.