This policy setting allows you to audit NTLM authentication in a domain from this domain controller. Network security: Restrict NTLM: Audit NTLM authentication in this domain A single asterisk (*) can be used anywhere in the string as a wildcard character. To ensure exceptions the name used by all applications needs to be in the list, and to ensure an exception is accurate, the server name should be listed in both naming formats. The naming format for servers on this exception list is the fully qualified domain name (FQDN) or NetBIOS server name used by the application, listed one per line. If you do not configure this policy setting, no exceptions will be applied. If you configure this policy setting, you can define a list of remote servers to which clients are allowed to use NTLM authentication.
This policy setting allows you to create an exception list of remote servers to which clients are allowed to use NTLM authentication if the "Network Security: Restrict NTLM: Outgoing NTLM traffic to remote servers" policy setting is configured. Note: Audit events are recorded on this computer in the "Operational" Log located under the Applications and Services Log/Microsoft/Windows/NTLM.Īdditionally to auditing policies there are few other restricting policies: Network security: Restrict NTLM: Add remote server exceptions for NTLM authentication Network security: Restrict NTLM: Audit Incoming NTLM Traffic Note: Audit events are recorded on this computer in the "Operational" Log located under the Applications and Services Log/Microsoft/Windows/NTLM. This policy is supported on at least Windows 7 or Windows Server 2008 R2. If you select "Enable auditing for all accounts", the server will log events for all NTLM authentication requests that would be blocked when the "Network Security: Restrict NTLM: Incoming NTLM traffic" policy setting is set to the "Deny all accounts" option. If you select "Enable auditing for domain accounts", the server will log events for NTLM pass-through authentication requests that would be blocked when the "Network Security: Restrict NTLM: Incoming NTLM traffic" policy setting is set to the "Deny all domain accounts" option. If you select "Disable", or do not configure this policy setting, the server will not log events for incoming NTLM traffic. This policy setting allows you to audit incoming NTLM traffic.
After you have configure them you can use NTLM event log for diagnostics:
This will give you enough information about hidden NTLM details. Following picture shows the final configuration which I set up at my development machine:įirst of all I would recommend you enable auditing. The introduce a set of group policies which control who can use NTLM in enterprise. New operative systems are by default not very friendly to NTLM authentication.
0 kommentar(er)
