Assessing NTLM usage
Published: November 29, 2012
Updated: November 21, 2012
Applies To: Windows 7, Windows 8, Windows Server 2008 R2, Windows Server 2012
This topic describes the tasks you need to perform to assess NTLM usage in your environment as part of your effort to improve authentication security. Group Policies and security policies that were introduced in Windows Server 2008 R2 and Windows 7 allow you to assess NTLM traffic between client computers, remote servers, member servers, and domain controllers.
Discovering and auditing the current state of NTLM authentication traffic is necessary before you implement policies and practices to use improved authentication protocols, such as Kerberos. The NTLM authentication protocols (as used in the NTLM Security Support Provider) authenticate users and computers based on a challenge/response mechanism that proves to a server or domain controller that a user knows the password associated with an account. When the NTLM protocol is used, a resource server is used to verify the identity of a computer or user. Additionally, if the account is a domain account, the resource server must contact a domain authentication service on the domain controller for the computer's or user's account domain. If it is not a domain account, the authentication service must look up the computer or user account in the local account database whenever a new access token is needed.
The three points at which to intercept and audit NTLM usage are:
Outgoing traffic from a domain controller within a domain.
Any incoming traffic to a remote server on that remote server.
Incoming traffic to a remote server from a client computer.
Understanding where NTLM is used in your environment is an iterative process that requires thorough investigation and preparations of the target environment. These tasks are described in the following topics:
Evaluating your environment for NTLM reduction
This topic describes how to form your goals and what conditions you need to evaluate in your IT environment in order to reduce the usage of NTLM.
Preparations for assessing NTLM usage
This topic describes design and planning considerations you need to address when reducing NTLM usage in your environment, including computer naming conventions, audit collection mechanisms, performing root cause analysis, and preparing for continued monitoring.
You will need to investigate the authentication traffic and applications that use NTLM as their only or default protocol. The following topics describe how to do this.
Using event collection systems for assessing authentication usage
This topic describes general strategies for accessing NTLM traffic when your organization uses an event collection system.
Using the NTLM Application Verifier Plug-in
This topic describes the NTLM Application Verifier plug-in and how to use it to identify NTLM traffic throughout your Windows environment.
Viewing events for assessing NTLM usage
This topic describes what events are recorded in the NTLM/Operational log when the Restrict NTLM audit or restrict settings are enforced.
Using Group Policies to audit NTLM traffic
This procedural topic describes the available Group Policies and security policies that can be used to discover NTLM traffic in your system and domain and shows you how to assess NTLM activity.