Teams should make relay paths unusable rather than merely harder to exploit. That means enforcing LDAP signing and channel binding, limiting where NTLM is accepted, and removing services that can be coerced into authenticating on behalf of an attacker. The goal is to prevent a captured session from being trusted anywhere else.
Why This Matters for Security Teams
NTLM relay is dangerous because it turns a single captured authentication into trust that can be reused elsewhere. In Active Directory, that usually means a service accepts a relayed session even though the attacker never knew the victim’s password. The practical failure is not NTLM itself alone, but the combination of broad NTLM acceptance, unsafe server-side features, and gaps in hardening that let an attacker proxy authentication across hosts. NIST’s NIST Cybersecurity Framework 2.0 is useful here because it pushes teams toward reducing attack paths, not just detecting them after the fact.
That matters even more in environments where legacy applications, printers, file servers, or management tooling still depend on NTLM. The exposure is often invisible until a coerced authentication is replayed into LDAP, SMB, or HTTP endpoints that were never designed to verify the original context. NHIMG research on the Top 10 NHI Issues shows how often identity weaknesses persist when teams treat credentials as static artifacts instead of trust boundaries. In practice, many security teams discover relay exposure only after an attacker has already used it to move laterally or alter directory objects.
How It Works in Practice
The most effective way to reduce NTLM relay risk is to make relayed authentication fail verification at the destination. LDAP signing forces integrity protection, while channel binding ties the session to the TLS channel so an attacker cannot simply forward the exchange. On the server side, teams should limit NTLM acceptance wherever Kerberos or modern authentication is feasible, because every remaining NTLM endpoint becomes a potential relay target. The Cisco Active Directory credentials breach illustrates how credential exposure and identity trust failures can cascade when controls are not enforced consistently.
Operationally, the work is a mix of policy, configuration, and service reduction:
- Require LDAP signing and channel binding on directory services that support them.
- Disable NTLM where business applications have a Kerberos or certificate-based path.
- Remove or isolate services that can be coerced into authenticating, such as weakly configured web apps, print services, and some RPC-based workflows.
- Use PAM and RBAC to limit who can change directory settings, service bindings, and authentication policies.
- Monitor for relay-prone patterns, including machine account abuse, SMB coercion, and unexpected NTLM traffic between hosts.
For broader identity governance patterns, the Ultimate Guide to NHIs is useful because it frames why long-lived trust relationships become attack surface. Best practice is evolving, but current guidance consistently favors reducing standing trust and shortening credential lifetimes. These controls tend to break down in mixed Windows estates where older applications cannot do LDAP signing, certificate trust is inconsistent, or NTLM remains embedded in vendor software that cannot be quickly replaced.
Common Variations and Edge Cases
Tighter NTLM controls often increase operational overhead, requiring organisations to balance security gains against application compatibility and administrative effort. That tradeoff is real in enterprises with domain controllers, legacy line-of-business systems, and third-party integrations that still rely on NTLM for fallback authentication. There is no universal standard for this yet, but current guidance suggests moving endpoint by endpoint rather than accepting NTLM broadly and hoping monitoring will catch abuse later.
Some edge cases need special handling. If a system cannot support LDAP signing or channel binding, isolate it, constrain its account permissions, and treat it as an exception with a documented expiry date. If you still must allow NTLM for a specific application, scope it tightly by host, network segment, and service account, then place compensating controls around that path. Teams looking for a broader identity lens should compare this problem with the Why NHI Security Matters Now analysis and the OWASP NHI Top 10, both of which reinforce that durable identity controls matter more than one-off detections. In practice, NTLM relay usually survives where legacy dependencies are tolerated without a firm retirement plan.
Standards & Framework Alignment
This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.
OWASP Non-Human Identity Top 10 address the attack and risk surface, while NIST CSF 2.0 and NIST Zero Trust (SP 800-207) set the governance and control requirements practitioners need to meet.
| Framework | Control / Reference | Relevance |
|---|---|---|
| OWASP Non-Human Identity Top 10 | NHI-03 | Covers weak or long-lived credentials that enable relay and reuse. |
| NIST CSF 2.0 | PR.AC-4 | Least-privilege access limits how far a relayed session can move. |
| NIST Zero Trust (SP 800-207) | Zero Trust requires verifying context, not trusting captured sessions. |
Enforce short-lived identity material and remove reusable auth paths that can be relayed.
Related resources from NHI Mgmt Group
Deepen Your Knowledge
Reviewed and updated by the NHIMG editorial team on May 26, 2026.
NHI Mgmt Group — the #1 independent authority on Non-Human Identity, IAM, and Agentic AI security. nhimg.org
