Entra Domain Services allows insecure version of NTLM#
Security · Entra Domain Services · Rule · 2024_06 · Critical
Disable NTLM v1 for Microsoft Entra Domain Services.
Description#
By default, Microsoft Entra Domain Services enables the use of ciphers and protocols such as NTLM v1. These ciphers may be required for some legacy applications, but are considered weak and can be disabled if not required.
Recommendation#
Consider disabling NTLM v1 which is considered weak and can be disabled if not required.
Examples#
Configure with Bicep#
To deploy domains that pass this rule:
- Set the
properties.domainSecuritySettings.ntlmV1property toDisabled.
For example:
Azure Bicep snippet
resource ds 'Microsoft.AAD/domainServices@2022-12-01' = {
name: name
location: location
properties: {
sku: 'Enterprise'
ldapsSettings: {
ldaps: 'Enabled'
}
domainSecuritySettings: {
ntlmV1: 'Disabled'
tlsV1: 'Disabled'
kerberosRc4Encryption: 'Disabled'
}
replicaSets: [
{
subnetId: primarySubnetId
location: location
}
{
subnetId: secondarySubnetId
location: secondaryLocation
}
]
}
}
Configure with Azure Verified Modules
A pre-validated module supported by Microsoft is available from the Azure Bicep public registry. To reference the module, please use the following syntax:
To use the latest version:
Configure with Azure template#
To deploy domains that pass this rule:
- Set the
properties.domainSecuritySettings.ntlmV1property toDisabled.
For example:
Azure Template snippet
{
"type": "Microsoft.AAD/domainServices",
"apiVersion": "2022-12-01",
"name": "[parameters('name')]",
"location": "[parameters('location')]",
"properties": {
"sku": "Enterprise",
"ldapsSettings": {
"ldaps": "Enabled"
},
"domainSecuritySettings": {
"ntlmV1": "Disabled",
"tlsV1": "Disabled",
"kerberosRc4Encryption": "Disabled"
},
"replicaSets": [
{
"subnetId": "[parameters('primarySubnetId')]",
"location": "[parameters('location')]"
},
{
"subnetId": "[parameters('secondarySubnetId')]",
"location": "[parameters('secondaryLocation')]"
}
]
}
}