🔐 NTLM Hardening & Kerberos Transition
Objectives:
Perform a comprehensive discovery of all systems and applications using NTLM authentication.
Identify systems capable of supporting Kerberos and prioritize candidates for transition.
Create a phased implementation plan to eliminate NTLM reliance.
Harden Active Directory and enforce Kerberos as the preferred authentication protocol.
Reduce lateral movement risks and meet modern authentication security standards.
- Discovery & NTLM Usage Inventory
- Enabled NTLM audit policies via Group Policy:
- Audit NTLM authentication in this domain
- Audit NTLM authentication to remote servers
- Parsed Domain Controller event logs for:
- Event IDs 4624, 4776, and 8004
- NTLMv1 usage warnings and fallback authentication attempts
- Used PowerShell scripts to correlate:
- Source hosts and user accounts using NTLM
- Applications, services, and legacy devices triggering NTLM authentication
- Collected and categorized data into exportable NTLM usage reports for review and remediation planning
- Enabled NTLM audit policies via Group Policy:
- Classification & Kerberos Readiness Planning
- Reviewed each system and application for Kerberos support
- Tagged and exported systems into readiness tiers:
- Fully Kerberos-capable
- Requires configuration updates
- NTLM-only with legacy dependencies
- Identified:
- Systems missing proper SPN (Service Principal Name) configurations
- Non-domain-joined assets requiring isolation or special handling
- Validated readiness plans with application owners and infrastructure teams
- Test Deployment & Controlled Rollout
- Created an isolated test environment reflecting production dependencies
- Applied GPOs to enforce:
- Kerberos-only authentication on test clients and servers
- AES-based encryption while disabling fallback RC4
- Validated authentication behavior across:
- Windows and Linux (RHEL) systems
- Shared drives, application tiers, and service accounts
- Logged and tracked Kerberos ticket usage and authentication failures
- Deployed exception handling for systems still undergoing transition
- Full Deployment & Enforced Controls
- Rolled out hardened GPOs in stages to production environments:
- Restrict NTLM: Deny for domain accounts to remote servers
- Restrict NTLM: Deny for non-domain accounts
- Enforced Kerberos hardening policies:
- AES256-SHA1 encryption requirement
- Enabled FAST (Flexible Authentication Secure Tunneling)
- Replaced or reconfigured systems with NTLM-only dependencies
- Validated proper SPN registrations and rotated service account credentials
- Rolled out hardened GPOs in stages to production environments:
- Hypercare & Post-Cutover Monitoring
- Continuously monitored domain controllers for authentication failures
- Reviewed NTLM audit logs to identify new or missed fallback usage
- Alerted on any unexpected authentication patterns
- Maintained rollback playbooks and exception GPOs for high-impact services
- Documented Kerberos transition paths, SPN configurations, and protocol enforcement for auditing and operational continuity
Result:
This effort successfully eliminated NTLM usage within the environment and ensured:
- Stronger authentication posture using Kerberos ticketing
- Reduced risk of credential-based attacks (e.g., pass-the-hash)
- Better visibility into authentication behaviors and failures
- Compliance with internal security standards and industry best practices
- Readiness for future initiatives including smart card auth, MFA, and Zero Trust integration