Auditing NTLMv1

Andreas 1,301 Reputation points
2023-02-15T19:33:54.7066667+00:00

Hi,

I have enabled NTLM auditing to discover any use of NTLMv1.

As I understand I can look for events under Applications and Services Log\Microsoft\Windows\NTLM

I do see the following events but not sure if there is NTLMv1 traffic blocked here. From the image below it tells me that user identity is my domain controller, and domain identity is my domain name. This is eventID 8002, so not sure if that is defined like "NTLMv1 traffic blocked" ? I understand that this will be blocked if i disable NTLMv1, but from the message below, I am not sure what I am blocking.

User's image

User's image

Reference: https://learn.microsoft.com/en-us/windows/security/threat-protection/security-policy-settings/network-security-restrict-ntlm-ntlm-authentication-in-this-domain?source=recommendations

When I see some other documentation, I am supposed to look for eventid 4624, which ofcourse also contains Kerberose, so I see 1000000+ of these events in the security log. Not so easy to look for NTLMv1 within this.

Reference: https://learn.microsoft.com/en-us/troubleshoot/windows-server/windows-security/audit-domain-controller-ntlmv1

So any comments on how to "easy" look for NTLMv1 traffic.

Thanks for any reply

/R

Andy

Windows Server
Windows Server
A family of Microsoft server operating systems that support enterprise-level management, data storage, applications, and communications.
12,160 questions
Active Directory
Active Directory
A set of directory-based technologies included in Windows Server.
5,887 questions
Windows Server Security
Windows Server Security
Windows Server: A family of Microsoft server operating systems that support enterprise-level management, data storage, applications, and communications.Security: The precautions taken to guard against crime, attack, sabotage, espionage, or another threat.
1,727 questions
0 comments
Accepted answer
  1. Limitless Technology 43,946 Reputation points
    2023-02-16T12:05:58.8066667+00:00

    Hello

    Thank you for your question and reaching out. I can understand you are having query\issues related to NTLM Traffic.

    These policy settings will report what is using NTLM without blocking anything:

    Computer Configuration->Policies->Windows Settings->Security Settings->Security Options->Network security: Restrict NTLM: Audit NTLM authentication in this domain. Policy Setting: Audit All

    Computer Configuration->Policies->Windows Settings->Security Settings->Security Options->Network security: Restrict NTLM: Audit Incoming NTLM Traffic. Policy Setting: Enable auditing for all accounts

    Computer Configuration->Policies->Windows Settings->Security Settings->Security Options->Network security: Restrict NTLM: Outgoing NTLM traffic to remote servers. Policy Setting: Audit all

    After enabling these policies, Event ID 8001, 8002, 8003, and 8004 will be recorded in Event Viewer under Applications and Services Logs->Microsoft->Windows->NTLM->Operational.

    Reference :

    https://learn.microsoft.com/en-us/answers/questions/979382/microsoft-windows-server-has-detected-that-ntlm-au

    --If the reply is helpful, please Upvote and Accept as answer--

    1 person found this answer helpful.

1 additional answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. Thameur-BOURBITA 32,586 Reputation points
    2023-02-17T10:56:27.95+00:00

    Hi @Andreas

    When you enable NTLM audit , you can identify NTLMv1 in the PackageName of the event 4624. You can use a Powershel script to check in the event viewer of all domain controllers:

    How to Disable NTLM Authentication in Windows Domain? | Windows OS Hub

    Some links talk about how you can detect NTLMv1 authentication and disabled it:

    How to Disable NTLM Authentication in Windows Domain?

    HOWTO: Detect NTLMv1 Authentication

    Please don't forget to mark helpful answer as accepted