Share via

Block NTLM and NTLMv2 totally, only enable Kerberos

Namless Shelter 231 Reputation points
2024-04-22T07:06:01.32+00:00

Dear PPL.

I would like to totally shut down NTLMv2 in our Domain. I would like only Kerberos as our Accounts Authentications.

Should I just change GPO of Default Domain Policy on AD:

Network security: Restrict NTLM: Incoming NTLM traffic: to Deny All accounts?

or

It's better to set the Network Security: Restrict NTLM: Audit Incoming NTLM traffic policy setting and then review the Operational log to understand what authentication attempts are made to the member servers, and then what client applications are using NTLM.

Which one should I use?

I dont need to set anything particular for enabling Kerberos right?

Thanks,

Namless

Windows Server
Windows Server
A family of Microsoft server operating systems that support enterprise-level management, data storage, applications, and communications.
12,497 questions
Windows Server Security
Windows Server Security
Windows Server: A family of Microsoft server operating systems that support enterprise-level management, data storage, applications, and communications.Security: The precautions taken to guard against crime, attack, sabotage, espionage, or another threat.
1,772 questions
0 comments

1 answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. Yanhong Liu 4,495 Reputation points Microsoft Vendor
    2024-04-22T09:11:42.55+00:00

    Hello,

    Thank you for posting in Q&A forum.

    If you are sure that there are no applications or clients that rely on NTLMv2 in your environment, simply enable "Network Security: Restrict NTLM: Incoming NTLM Traffic: Deny All Accounts". This setting blocks all authentication requests using NTLMv2, forcing clients to authenticate using Kerberos. This is the most straightforward method for ensuring that all clients and servers in the domain are fully prepared to transition seamlessly to a pure Kerberos environment.

    If you are unsure whether there are applications or clients in your environment that rely on NTLMv2, you can first enable the "Network Security: Restrict NTLM: Audit incoming NTLM traffic" policy setting. This will not block NTLMv2 traffic but will log all attempts to authenticate using NTLMv2 in the Operations Log. By analyzing these logs, you can identify which client applications, servers, or services still rely on NTLMv2, so you can make targeted adjustments or updates.

    In modern Windows domain environments, Kerberos is typically enabled by default and the preferred authentication protocol. As long as your domain functional level, client operating system, and applications support Kerberos, and your network architecture (such as DNS configuration, time synchronization, etc.) meets the basic requirements for Kerberos, you generally can use Kerberos without additional configuration.

    It is recommended to refer to the following link for a more detailed description:

    How to Disable NTLM Authentication in Windows Domain | Windows OS Hub (woshub.com)

    I hope the information above is helpful.

    Best Regards,

    Yanhong Liu

    ============================================

    If the Answer is helpful, please click "Accept Answer" and upvote it.