I work with Acronis Cyber Protect, and one of the things it does for a protected workstation is to calculate a CyberFit Score. One of my non-managed laptops kept getting a 750/850 score. Part was for no VPN which didn't matter all that much to me, and the other was allowing outgoing NTLM traffic.
That had vaguely annoyed me. Then in the last couple of weeks a couple of NTLM vulnerabilities have been announced, that expose your credentials.
The first (note 1 below after the break) allows an attacker to expose a NTLM credential simply by clicking on a malicious file in Windows Explorer. There is a patch from the discoverer. Microsoft won't patch 'til April.
The second (note 2) exposed a NTLM credential by coercing a user to attempt to access a file off machine by putting a link in a Windows Theme .ini file. There doesn't seem to be a MS fix yet.
So, while I'd meant to disable offsite NTLM traffic for ages, because of the Acronis report, it was less simple than I expected. And I sometimes feel that MS documentation on how/what to do for some of these settings is only comprehensible sometime after you've fixed the problem. The documentation doesn't make sense until you've done 10 other things it might have said. This is of course a characteristic of all documentation.
Acronis, when you don't have outgoing NTLM traffic disabled, points you to a MS help page at the link in note 3. I've disabled outgoing to get the image below.
The MS help suggests you need to change a value at "Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options". Of course it doesn't tell you that you need to run gpedit.msc to get there, or have secpol.msc installed. Which you don't if you happen to be running Windows 10 Home edition. More on that later. And yes, it should have been obvious.
For Windows 10 Pro, or for Home where you have installed the right modules, use search to find Local Security Policy. Run it as Administrator.
As MS told us earlier, navigate to Security Options. Find the policy "Network Security: Restrict NTLM: Outgoing NTLM Traffic to remote servers".. change the Security Setting to "Deny all". You can also add exception if required, but Deny All will do fine for now. .
Now, if you're running Home and don't have Local Security Policy, I found a site that provided me with a script to install it. See URL in note 4. The instructions are all there. It provides a script download that will search your machine and install the correct modules.
I did download the PowerShell script. I opened the script in a snapshotted VM, I checked the execution of each command. It didn't trigger any security warnings, it did exactly what I expected it to do. I then ran it on my Windows Home machine, and it installed the modules required. I was then able to start the Local Security Policy application and make the changes.
On my Acronis monitored machine I increased my CyberFit Score. I blocked outgoing NTLM traffic. It all works. Now I'll have to look at enabling that automatically.
I also need to script allowing NTLM traffic, for those times I need to use Windows Remote Desktop. That caught me out after the disabling.
Notes/URLs.
I haven't shortened the URLs. That always makes me a bit uncomfortable when it's click time.
1. https://blog.0patch.com/2024/12/url-file-ntlm-hash-disclosure.html
2. https://www.darkreading.com/vulnerabilities-threats/recurring-windows-flaw-could-expose-user-credentials
3. https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/security-policy-settings/network-security-restrict-ntlm-outgoing-ntlm-traffic-to-remote-servers
4. https://www.majorgeeks.com/content/page/how_to_enable_local_security_policy_in_windows_10_home.html
