Using Group Policies to audit NTLM traffic

Updated: November 21, 2012

Applies To: Windows 7, Windows 8, Windows Server 2008 R2, Windows Server 2012

This procedural topic describes the available Group Policies and security policies that can be used to discover NTLM traffic in your system and domain and shows you how to assess NTLM activity.

For every policy to restrict NTLM, there are policies or options to first audit NTLM traffic. This permits you to log and analyze authentication activity between clients and member servers or within a domain before restricting the traffic and potentially causing service interruptions.

In this topic

  • Assessing NTLM traffic in the domain

  • Assessing incoming NTLM traffic to a remote server

  • Assessing outgoing NTLM traffic from a client computer to a server

Assessing NTLM traffic in the domain

The following conditions and procedures can help you determine the level of NTLM authentication traffic within a target domain so you can restrict the NTLM traffic and promote Kerberos authentication.

Conditions

You need to meet the following conditions to perform an assessment of NTLM traffic in the domain:

  • Access to the event logs on the member servers and domain controller.

  • Writable access to a share on a member server in the domain to be used to store collected events for investigation. Note the name of the share.

  • Knowledge of the IP addresses of the member servers in the domain used for investigation. You will use the addresses in the Net use command to force authentication when assessing traffic level.

  • Knowledge that the exception list of server names on the security policy Network security: Restrict NTLM: Add server exceptions for NTLM authentication in this domain is correct, if configured.

  • Ability to edit or create Group Policy Objects that contain the Restrict NTLM security policies.

Configure the network security policy Restrict NTLM: Audit NTLM authentication in this domain

  1. On the domain controller, use the Group Policy Management Console (GPMC) to open the Group Policy Restrict NTLM: Audit NTLM authentication in this domain located under the Computer Configuration/Security Settings/Security Options node.

  2. Select one of the following options that supports your assessment:

    • Audit only the domain logon-related NTLM traffic and NTLM traffic to servers in this domain

    • Audit only the domain logon-related NTLM traffic in this domain

    • Audit only the NTLM traffic to servers in this domain

    • Audit all NTLM traffic in this domain

Force authentication within the domain

  • On the domain controller, from the command line, authenticate to the share on the member server by typing **Net use \\IP address\**share name. Depending upon the configuration of that share, you might be required to provide your password as well.

Evaluate the NTLM/Operational log for evidence of authentication failures

  1. In Event Viewer on the domain controller, open the Operational log.

  2. To determine if NTLM authentication should be allowed or should be restricted, investigate NTLM authentication failed events. Note the server names associated with the failed events. You will use these to either continue your investigation to find the root cause of the failure or to add these servers to the exemption list.

Create the exceptions list for the remote server

  1. Open the Group Policy Management Console (gpmc.msc) on either the member server or the domain controller.

  2. Navigate to Security Options, under Local Computer Policy/Computer Configuration/Windows Settings/Security Settings/Local Policies.

  3. Configure the security policy Network security: Restrict NTLM: Add server exceptions for NTLM authentication in this domain by listing the names of servers in the domain that you will allow NTLM authentication. The naming format for servers on this exception list is the fully qualified domain name (FQDN) or NetBIOS server name used by the calling application. List one per line. A single asterisk (*) can be used at the beginning or the end of the string as a wild card character.

Investigate and assess NTLM traffic in the domain

  1. Repeat the procedure Evaluate the NTLM/Operational log for evidence of authentication failures to continue your evaluation and assessment process.

  2. Repeat the procedure Configure the network security policy Restrict NTLM: Audit NTLM authentication in this domain to adjust the scope of the NTLM traffic audit in this domain to continue your evaluation and assessment process.

  3. When you are satisfied that the NTLM authentication traffic is appropriately restricted for this domain, configure the network security policy Restrict NTLM: NTLM authentication in this domain to one of the following options:

    • Allow domain logon-related NTLM traffic and NTLM traffic to servers in this domain

    • Deny domain logon-related NTLM traffic or NTLM traffic to servers in this domain

    • Deny domain logon-related NTLM traffic in this domain

    • Deny NTLM traffic to servers in this domain

    • Deny NTLM traffic in this domain

Assessing incoming NTLM traffic to a remote server

The following conditions and procedures can help you determine the level of incoming NTLM authentication traffic from a client computer to a remote server so you can eventually restrict the NTLM traffic and promote Kerberos authentication.

Conditions

You need to meet the following conditions in order to perform an assessment of NTLM traffic to a remote server:

  • Access to the event logs on the remote server.

  • Writable access to a share on the remote server for investigation.

  • Knowledge of the IP addresses of the remote server used for investigation. You will use the address in the Net use command to force authentication when assessing.

  • Established client computer connections to the remote server.

  • Ability to edit or create Group Policy Objects that contain the Restrict NTLM security policies.

Configure the network security policy Restrict NTLM: Audit incoming NTLM traffic

  1. On the remote server, use the Group Policy Management Console (gpmc.msc) to open the security policy Restrict NTLM: Audit Incoming NTLM traffic located under the Computer Configuration/Security Settings/Security Options node.

  2. Select either one of the following options that supports your assessment strategy:

    • Enable auditing for domain accounts

    • Enable auditing for all accounts

Force authentication to the remote server

  • On a client computer that is connected to the remote server, from the command line, authenticate to the share on the remote server by typing **Net use \\IP address\**share name. Depending upon your configuration of that share, you might be required to provide your password as well.

    For information about Net use command, including examples, see Net use.

Evaluate the NTLM/Operational log for evidence of authentication failures

  1. In Event Viewer on the remote server, open the Operational log.

  2. Investigate NTLM authentication failed events to determine if NTLM authentication should be allowed or should be restricted. Note client computer names. You will use these names to either continue your investigation to find the root cause of the failure or to add the name of this remote server to the exemption list.

Investigate and assess NTLM traffic between client computers and remote servers

  1. Repeat the procedure Evaluate the NTLM/Operational log for evidence of authentication failures to continue your evaluation and assessment process. Note if the traffic is domain logon-related.

  2. Repeat the procedure Configure the network security policy Restrict NTLM: Audit incoming NTLM traffic to continue your evaluation and assessment process.

  3. When you are satisfied that the incoming NTLM authentication traffic is appropriately restricted for this remote server, configure the network security policy Restrict NTLM: Incoming NTLM authentication to either one of the following options:

    • Deny all incoming NTLM traffic

    • Deny all incoming domain logon-related NTLM traffic

Assessing outgoing NTLM traffic from a client computer to a server

The following conditions and procedures can help you determine the level of outgoing NTLM authentication traffic from a client computer to a remote server so you can restrict the NTLM traffic and promote Kerberos authentication.

Conditions

You need to meet the following conditions to perform an assessment of NTLM traffic from a client computer to a server:

  • Access the event logs on the client computer and server or servers. If you are beginning your investigation, you might know the names of the servers until you examine the events in the client computer logs.

  • Writable access to a share on the server for the authentication attempt. Note the name of the share.

  • Knowledge of the IP addresses of the servers used for investigation. Note the addresses.

  • Established client computer connections to the remote server.

  • Knowledge that the list of server names on the security policy Network security: Restrict NTLM: Restrict NTLM: Add remote server exceptions for NTLM authentication is correct, if configured.

  • Ability to edit or create Group Policy Objects that contain the Restrict NTLM security policies.

Configure the network security policy Restrict NTLM: Outgoing NTLM traffic to remote servers

  1. Use the Group Policy Management Console (gpmc.msc) to open the network security policy Restrict NTLM: Outgoing NTLM traffic to remote computers located under the Computer Configuration/Security Settings/Security Options node.

  2. Select the option Audit all outgoing NTLM traffic to remote servers for this security policy.

  3. Distribute the updated Group Policy Object.

Create the exceptions list for remote servers

  1. Open the Local Group Policy Editor (gpedit.msc) on the client computer, or, if you can edit the GPO that contains this exceptions list, open the GPMC to update the GPO

  2. Navigate to the Security Options node under Local Computer Policy/Computer Configuration/Windows Settings/Security Settings/Local Policies.

  3. Configure the security policy Network security: Restrict NTLM: Add remote server exceptions for NTLM authentication by listing the names of servers that you will allow NTLM authentication from this client computer. The naming format for servers on this exception list is the fully qualified domain name (FQDN) or NetBIOS server name used by the calling application listed one per line. A single asterisk (*) can be used at the beginning or end of the string as a wild card character.

Force authentication to the remote server

  • On a client computer that is connected to the remote server, from the command line, authenticate to the share on the remote server by typing **Net use \\IP address\**share name. Depending on your configuration of that share, you might be required to provide your password as well.

Evaluate the NTLM/Operational log for evidence of authentication failures

  1. By using Event Viewer on the client computer, navigate to Applications and Services Logs/Microsoft/Windows/NTLM and open the Operational log.

  2. Investigate NTLM authentication failed events to determine if NTLM authentication should be allowed or should be restricted. Note the server name.

Investigate and assess NTLM traffic between client computers and remote servers

  1. Repeat the procedure Evaluate the NTLM/Operational log for evidence of authentication failures to continue your evaluation and assessment process.

  2. Repeat the procedure Configure the network security policy Restrict NTLM: Outgoing NTLM traffic to remote servers to continue your evaluation and assessment process.

  3. Repeat the procedure Create the exceptions list for remote servers to narrow or expand the exception list.

  4. When you are satisfied that the outgoing NTLM authentication traffic is appropriately restricted on this remote server, configure the network security policy Restrict NTLM: Outgoing NTLM traffic to remote servers to either one of the following options:

    • Deny all outgoing NTLM traffic to remote servers

    • Allow all outgoing NTLM traffic to remote servers

See Also

Concepts

Assessing NTLM usage