Q: How can I find out if my clients are using NTLM for authentication instead of Kerberos against specific Windows servers, applications, or services?

These new Group Policy settings can help you audit, analyze, and restrict NTLM authentication use in your Windows environment.

Jan De Clercq

January 27, 2012

2 Min Read
ITPro Today logo

A:Windows 7 and Windows Server 2008 R2 include new Group Policy settings that let you audit, analyze, and restrict NTLM authentication use in yourWindows environment. Microsoft introduced three security policy settings you can use for auditing NTLM traffic. The settings are stored in thefollowing Group Policy Object (GPO) container: Computer ConfigurationPoliciesWindows SettingsSecurity SettingsLocal PoliciesSecurity Options.They're called:

  • Network security: Restrict NTLM: Outgoing NTLM traffic to remote servers

  • Network security: Restrict NTLM: Audit NTLM authentication in this domain

  • Network security: Restrict NTLM: Audit Incoming NTLM Traffic

You should enable the Restrict NTLM: Audit NTLM authentication in this domain setting only on your Windows Server 2008 R2 domain controllers(DCs). To enable it, choose the Enable all option in the Microsoft Management Console (MMC) GPO Editor snap-in.

You can use the other two settings -- Restrict NTLM: Outgoing NTLM traffic to remote servers andRestrict NTLM: Audit Incoming NTLM Traffic -- for auditing NTLM authentication traffic on all Windows 7 and Windows Server 2008 R2 computers.To enable auditing for the first setting, choose the Audit all option, as Figure 1 shows; to enable auditing for the latter setting, choosethe Enable auditing for all accounts option.
Figure 1: Enabling the Restrict NTLM: Outgoing NTLM traffic to remote servers setting

NTLM audit events are written to the following event log path: Applications and Services LogsMicrosoftWindowsNTLMOperational. Note that this logisn't visible by default in the MMC Event Viewer snap-in. To view this log, you must enable the Show Analytic and Debug Logs option in theEvent Viewer's View menu.

Whenever the NTLM protocol is used for authentication, an event with ID 8004 shows up in a Windows Server 2008 R2 DC's log, an event with ID 8003 showsup in a Windows Server 2008 R2 member server's log, and an event with ID 8001 appears in a Windows 7 client's log, as Figure 2 illustrates
Figure 2: Event ID 8001, indicating NTLM protocol authentication, appearing in a Windows 7 client log (Click image for larger view)

About the Author(s)

Jan De Clercq

Jan De Clercq

See more from Jan De Clercq
Sign up for the ITPro Today newsletter
Stay on top of the IT universe with commentary, news analysis, how-to's, and tips delivered to your inbox daily.
Newsletter Sign-Up

You May Also Like

Editor's Choice

cybersecurity operator or hacker works with data in dark room
IT Security
Master AI Cybersecurity: Protect and Enhance Your NetworkMaster AI Cybersecurity: Protect and Enhance Your Network
byBrien Posey
May 21, 2024
5 Min Read
business person stamping a document
IT Operations
How to Get Executive Buy-In for IT ProjectsHow to Get Executive Buy-In for IT Projects
byChristopher Tozzi
May 28, 2024
6 Min Read
yellow block stuck in between blue cog wheels
PowerShell
Using ChatGPT as a PowerShell Debugging ToolUsing ChatGPT as a PowerShell Debugging Tool
byBrien Posey
Jun 4, 2024
4 Min Read