Skip to content

Disable NTLM v1#

Security · Entra Domain Services · Rule · 2024_06 · Critical

Disable NTLM v1 for Microsoft Entra Domain Services.

Description#

By default, Microsoft Entra Domain Services enables the use of ciphers and protocols such as NTLM v1. These ciphers may be required for some legacy applications, but are considered weak and can be disabled if not required.

Recommendation#

Consider disabling NTLM v1 which is considered weak and can be disabled if not required.

Examples#

Configure with Azure template#

To deploy domains that pass this rule:

  • Set the properties.domainSecuritySettings.ntlmV1 property to Disabled.

For example:

Azure Template snippet
{
  "type": "Microsoft.AAD/domainServices",
  "apiVersion": "2022-12-01",
  "name": "[parameters('name')]",
  "location": "[parameters('location')]",
  "properties": {
    "ldapsSettings": {
      "ldaps": "Enabled"
    },
    "domainSecuritySettings": {
      "ntlmV1": "Disabled",
      "tlsV1": "Disabled",
      "kerberosRc4Encryption": "Disabled"
    }
  }
}

Configure with Bicep#

To deploy domains that pass this rule:

  • Set the properties.domainSecuritySettings.ntlmV1 property to Disabled.

For example:

Azure Bicep snippet
resource ds 'Microsoft.AAD/domainServices@2022-12-01' = {
  name: name
  location: location
  properties: {
    ldapsSettings: {
      ldaps: 'Enabled'
    }
    domainSecuritySettings: {
      ntlmV1: 'Disabled'
      tlsV1: 'Disabled'
      kerberosRc4Encryption: 'Disabled'
    }
  }
}

Comments