NTLM authentication auditing and restricting
Updated: November 29, 2012
Applies To: Windows 7, Windows 8 Enterprise, Windows Server 2003, Windows Server 2008, Windows Server 2008 R2, Windows Server 2012, Windows Vista, Windows XP
This collection topic for the IT professional provides guidance and resources to help you analyze and restrict NTLM authentication usage in your IT environment. This feature requires data gathering, analysis of NTLM traffic, and a methodical process with which to restrict the traffic so that stronger authentication protocols, such as the Kerberos protocol, will be used.
With the advent of more secure authentication protocols, the need to control the NTLM protocol within IT environments has increased. Reducing the usage of the NTLM protocol requires both knowledge of deployed application requirements on NTLM and strategies and steps necessary to configure infrastructures to use other protocols. New security policies and processes introduced in Windows 7 and Windows Server 2008 R2 allow you to analyze authentication traffic and selectively block it on the client, server, and domain level.
For more information about using strong authentication protocols in a Windows environment, see Windows Authentication.
For more information about the NTLM protocol, see Microsoft NTLM (Windows) in the MSDN library.
Auditing NTLM usage
The first step in restricting the NTLM protocol is understanding which computers and applications in your organization are using the NTLM protocol for authentication. You can find this information by enabling certain security policies for auditing on computers running at least Windows Server 2008 R2 and Windows 7. By reviewing the event logs, you can determine which applications can be configured to successfully use a stronger authentication protocol and also determine computers or domains that can function without the NTLM protocol.
The following Security Option settings can be configured to help you determine NTLM usage in your environment:
Network Security: Restrict NTLM: Audit Incoming NTLM Traffic
Network Security: Restrict NTLM: Audit NTLM authentication in this domain
Network Security: Restrict NTLM: Outgoing NTLM traffic to remote servers (audit option)
Restricting NTLM usage
New Group Policy settings introduced in Windows 7 and Windows Server 2008 R2 permit the restriction of NTLM protocol usage on clients, servers, and domain controllers. These policies can be configured on computers running at least Windows 7 and Windows Server 2008 R2, which can affect NTLM usage on computers running earlier versions of Windows.
The following Security Option settings can be configured to help you restrict NTLM usage in your environment.
Warning
These settings will cause applications and services that depend on NTLM to fail to authenticate. Before implementing any restrictions, first thoroughly audit NTLM usage and then test applications and services.
Network Security: Restrict NTLM: NTLM authentication in this domain
Network Security: Restrict NTLM: Outgoing NTLM traffic to remote servers
Resources for restricting NTLM authentication
| Resource | Description | Source |
|---|---|---|
Describes the considerations and steps required to reduce NTLM usage in your environment by using available tools and the restrict NTLM audit and blocking policies in Windows Server 2012, Windows Server 2008 R2, Windows 8, and Windows 7. |
TechNet Library |
|
Extended Protection for Authentication helps protect against man-in-the-middle (MITM) attacks, in which an attacker intercepts a client’s credentials and forwards them to a server. |
MSDN Library (.NET Framework 3.5) |
|
Microsoft Security Advisory (973811): Extended Protection for Authentication |
This feature enhances the protection and handling of credentials when authenticating network connections by using Integrated Windows Authentication (IWA). |
Security TechCenter (2009) |
Enhancements were made that affect how integrated Windows authentication is handled by the HttpWebRequest, HttpListener, SmtpClient, SslStream, NegotiateStream, and related classes in the System.Net and related namespaces. Support was added for extended protection to enhance security. |
MSDN Library (.NET Framework 3.5) |
|
SQL Server: Connect to the Database Engine Using Extended Protection |
SQL Server supports Extended Protection beginning with SQL Server 2008 R2. Extended Protection for Authentication is a feature of the network components implemented by the operating system. |
MSDN Library(SQL Server 2012) |
This article discusses the following aspects of NTLM user authentication in Windows: Password storage in the account database; User authentication by using the MSV1_0 authentication package; and Pass-through authentication. |
Microsoft Knowledge Base (2006) |
|
This security update modifies the Security Support Provider Interface (SSPI) to enhance the way Windows authentication works so that credentials are not easily forwarded when Integrated Windows Authentication (IWA) is enabled. When Extended Protection for Authentication is enabled, authentication requests are bound to both the service principal name (SPN) of the server the client tries to connect to and to the outer Transport Layer Security (TLS) channel over which the IWA authentication occurs. This is a base update that enables applications to opt in to the new feature. |
Microsoft Knowledge Base (2009) |
|