The SMB client now supports blocking NTLM authentication for remote outbound connections. Blocking NTLM authentication prevents bad actors from tricking clients into sending NTLM requests to malicious servers, counteracting brute force, cracking, and pass-the-hash attacks. NTLM blocking is also required for switching an organization's authentication protocols to Kerberos, which is more secure than NTLM because it can verify server identities with its ticket system. However, organizations can also enable this layer of protection without having to disable NTLM entirely.
PrerequisitesNTLM blocking for the SMB client requires the following prerequisites:
Tip
NTLM blocking is an SMB client capability only. The SMB client is built into both Windows Server and Windows client operating systems. The destination SMB server can be any operating system where PKU2U or kerberos can be used.
Configure SMB client NTLM blockingStarting with Windows Server 2025 and Windows 11, version 24H2, you have the option to configure SMB to block NTLM. To improve the security of deployments running earlier versions of Windows, you must disable NTLM manually, either by editing the relevant Group Policy or running a specific command in PowerShell.
To configure NTLM blocking:
Open the Group Policy Management Console.
In the console tree, go to Computer Configuration > Administrative Templates > Network > Lanman Workstation.
Right-click Block NTLM (LM, NTLM, NTLMv2) and select Edit.
Select Enabled.
Open an elevated PowerShell window.
Run the following command to enable NTLM blocking.
Set-SMbClientConfiguration -BlockNTLM $true
There might be scenarios where you need to allow certain machines to use NTLM instead of blocking it globally. For example, when the SMB server you're trying to connect to isn't joined to an Active Directory domain.
To enable a list of exceptions to NTLM blocking:
In the Group Policy Editor Console tree, go to Computer Configuration > Administrative Templates > Network > Lanman Workstation.
Right-click Block NTLM Server Exception List and select Edit.
Select Enabled.
Enter the IP addresses, NetBIOS names, and fully qualified domain names (FQDNs) of the remote machines you want to allow NTLM authentication to.
There isn't currently a PowerShell equivalent to the Block NTLM Server Exception List Group Policy object. In order to set up an exception list, you must go into the Group Policy Editor and configure the setting manually. However, once you've completed the manual setup, you can make individual exceptions for certain IPs by running this command with the DNS name, IP address, or NetBIOS name in the AddToList parameter:
$params = @{
Path = "HKLM:\SOFTWARE\Policies\Microsoft\Windows\LanmanWorkstation"
Name = "BlockNTLMServerExceptionList"
}
$CurrentValue = (Get-ItemProperty @params).BlockNTLMServerExceptionList
$params["Value"] = if ($CurrentValue -eq $null) { @("") } else { $CurrentValue + "AddToList" }
Set-ItemProperty @params
You can also add multiple variables to the AddToList parameter by separating them with a comma, as shown in the following example command:
$params = @{
Path = "HKLM:\SOFTWARE\Policies\Microsoft\Windows\LanmanWorkstation"
Name = "BlockNTLMServerExceptionList"
}
$CurrentValue = (Get-ItemProperty @params).BlockNTLMServerExceptionList
$params["Value"] = if ($CurrentValue -eq $null) { @("") } else { $CurrentValue + "192.168.10.10","corp.contoso.com","CORP" }
Set-ItemProperty @params
You can also block NTLM when mapping new SMB drives by running the following commands.
Run this command to specify NTLM blocking when mapping a drive with NET USE:
NET USE \\server\share /BLOCKNTLM
Run this command to specify NTLM blocking when mapping an SMB drive:
New-SmbMapping -RemotePath \\server\share -BlockNTLM $true
RetroSearch is an open source project built by @garambo | Open a GitHub Issue
Search and Browse the WWW like it's 1997 | Search results from DuckDuckGo
HTML:
3.2
| Encoding:
UTF-8
| Version:
0.7.3