Configuring server exceptions to allow NTLM

Updated: November 21, 2012

Applies To: Windows 7, Windows 8, Windows Server 2008 R2, Windows Server 2012

This topic describes the reasons for and how to configure two security policies introduced in Windows Server 2008 R2 and Windows 7 that permit NTLM authentication on servers that you identify.

You might have instances in your organization where you want to restrict the usage of NTLM to all but a few servers. Two security policy settings are used to list those exceptions where NTLM is allowed: one for client access to remote servers and one policy for access to servers in a domain. Both security policy settings are dependent upon the correct configuration of other settings, as explained below.

In this topic

• Add remote server exceptions for NTLM authentication

• Add server exceptions for NTLM authentication in this domain

• Additional resources

Add remote server exceptions for NTLM authentication

This policy setting allows you to create an exception list of remote servers to which clients are allowed to use NTLM authentication if the Network Security: Restrict NTLM: Outgoing NTLM traffic to remote servers policy setting is configured.

To add remote server exceptions for NTLM authentication

1. On the remote server, use the Group Policy Management Console (gpmc.msc) to configure Network Security: Restrict NTLM: Outgoing NTLM traffic to remote servers to Deny all outgoing NTLM traffic to remote servers. If you do not configure this policy setting, no exceptions will be applied.

2. On the remote server, use the Group Policy Management Console (gpmc.msc) to open the security policy Restrict NTLM: Add remote server exceptions located under the Computer Configuration/Security Settings/Security Options node.

3. List the server names and click OK.

   The naming format for servers on this exception list is the fully qualified domain name (FQDN) or NetBIOS server name used by the calling application listed one per line. A single asterisk (*) can be used at the beginning or end of the string as a wild card character.

4. Reevaluate NTLM usage by viewing the NTLM authentication events in the NTLM/Operational log by using Event Viewer. Add or remove server names from the exception list to adjust.

Add server exceptions for NTLM authentication in this domain

This policy setting allows you to create an exception list of servers in this domain to which clients are allowed to use NTLM pass-through authentication if the Network Security: Restrict NTLM: NTLM authentication in this domain policy setting is configured.

To add server exceptions for NTLM authentication in this domain

1. On the domain controller, use the Group Policy Management Console (gpmc.msc) to configure Network Security: Restrict NTLM: NTLM authentication in this domain to any option other than Allow domain logon related NTLM traffic and NTLM traffic to servers in this domain. If you do not configure this policy setting, no exceptions will be applied.

2. On the domain controller, use the Group Policy Management Console (gpmc.msc) to open the security policy Restrict NTLM: Add server exceptions for NTLM authentication in this domain located under the Computer Configuration/Security Settings/Security Options node.

3. List the server names and click OK.

   The naming format for servers on this exception list is the FQDN or NetBIOS server name used by the calling application listed one per line. A single asterisk (*) can be used at the beginning or end of the string as a wild card character.

4. Reevaluate NTLM usage by viewing the NTLM authentication events in the Analytic log of Event Viewer. To adjust, add or remove server names from the exception list.

Additional resources

• Network Security: Restrict NTLM: NTLM authentication in this domain

• Network Security: Restrict NTLM: Outgoing NTLM traffic to remote servers

• Network security: Restrict NTLM: Add remote server exceptions for NTLM authentication

• Network security: Restrict NTLM: Add server exceptions in this domain

See Also

Concepts

Restricting NTLM usage