Windows
United States - English
Home
Windows 8
Windows 7
Windows Vista
Windows XP
MDOP
Windows Intune
Library
Forums
2 out of 7 rated this helpful - Rate this topic

Introducing the Restriction of NTLM Authentication

Updated: November 11, 2011

Applies To: Windows 7, Windows Server 2008 R2

This product evaluation topic for the IT professional describes new security policies in Windows 7 and Windows Server 2008 R2 to help you analyze and restrict NTLM authentication usage in your IT environment. This feature requires data gathering, analysis of NTLM traffic, and a methodical process with which to restrict the traffic so that stronger authentication protocols, such as Kerberos, will be used.

With the advent of more secure authentication protocols, the need to control the NTLM protocol within IT environments has increased. Reducing the usage of the NTLM protocol requires both knowledge of deployed application requirements on NTLM and strategies and steps necessary to configure infrastructures to use other protocols. New security policies and processes in Windows 7 and Windows Server 2008 R2 allow you to analyze authentication traffic and selectively block it on a client, server, and domain level.

For more information about using strong authentication protocols in a Windows environment, see Windows Authentication.

For more information about the NTLM protocol, see the MSDN library.

The first step in restricting the NTLM protocol is understanding which computers and applications in your organization are using the NTLM protocol for authentication. You can find this information by enabling certain security policies for auditing on computers running Windows 7. By reviewing the event logs, you can determine which applications can be configured to successfully use a stronger authentication protocol and also determine computers or domains that can function without the NTLM protocol.

The following Security Option settings can be configured to help you determine NTLM usage in your environment:

  • Network Security: Restrict NTLM: Audit Incoming NTLM Traffic

  • Network Security: Restrict NTLM: Audit NTLM authentication in this domain

  • Network Security: Restrict NTLM: Outgoing NTLM traffic to remote servers (audit option)

New Group Policy settings in Windows 7 and Windows Server 2008 R2 permit the restriction of NTLM protocol usage on clients, servers, and domain controllers. These policies can be configured on computers running Windows 7 and Windows Server 2008 R2, which can affect NTLM usage on computers running earlier versions of Windows.

The following Security Option settings can be configured to help you restrict NTLM usage in your environment.

WarningWarning
These settings will cause applications and services that depend on NTLM to fail to authenticate. Before implementing any restrictions, first thoroughly audit NTLM usage and then test applications and services.

  • Network Security: Restrict NTLM: Incoming NTLM Traffic

  • Network Security: Restrict NTLM: NTLM authentication in this domain

  • Network Security: Restrict NTLM: Outgoing NTLM traffic to remote servers

Did you find this helpful?
(1500 characters remaining)
Community Content Add
Annotations FAQ
Audit Path
The audit path is:  Event Viewer (Local)\Applications And Services Logs\Microsoft\Windows\NTLM\Operational
History
Ditto
I second the above comment. If you create links to content that doesn't exist you're just wasting our time.
History
Bad link
Restricting NTLM Usage Step-by-Step Guide. takes us to a future resourses page. Less than useful.
History