ntlm auditing gpo

Question

Just seeking some guidance on NTLM auditing. We are running Server 2019 at the latest domain and forest functional levels

I am just seeking some clarity around auditing NTLM traffic by GPO.

Which settings should be applied to the Domain Controllers only?

And which should only be applied to member servers and workstations?

I've come across a few articles which are confusing me.

This one says put the settings in the default domain policy:

https://knowledge.broadcom.com/external/article?legacyId=HOWTO79508

This article says the following:
https://learn.microsoft.com/en-us/archive/blogs/askds/ntlm-blocking-and-you-application-analysis-and-auditing-methodologies-in-windows-7

Network security: Restrict NTLM: Outgoing NTLM traffic to remote servers = Audit All
Network security: Restrict NTLM: Audit NTLM authentication in this domain = Enable all
Network security: Restrict NTLM: Audit Incoming NTLM Traffic = Enable auditing for all accounts

Note: Configure "Audit NTLM authentication in this domain" on DC's only. Configure "Outgoing NTLM traffic to remote servers" and "Audit Incoming NTLM Traffic" on all computers.  

And this one just mentions applying specific auditing to DCs only:
https://adsecurity.org/?p=3377

I guess i am just seeking some clarification.

Answer 1

The article from Microsoft is reliable since it is official.
However, you reference to the older article and new one is this one:
https://learn.microsoft.com/en-us/windows/security/threat-protection/security-policy-settings/network-security-restrict-ntlm-audit-ntlm-authentication-in-this-domain
It depends on your architecture you may do it in your main domain (especially those who required authentication).