Need some help to target the Group Policy to enable the NTLM audit?

EnterpriseArchitect 4,871 Reputation points
2024-04-18T12:53:32+00:00

I must audit any computers still using NTLM v1 in my AD Domain. Do I need to enable these group policies for all Windows servers and workstations in my AD Domain or just the Domain Controllers?

  • Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options
    Policy Setting
    Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings Enabled
    Network security: Restrict NTLM: Audit Incoming NTLM Traffic Enable auditing for all accounts
    Network security: Restrict NTLM: Audit NTLM authentication in this domain Enable all
Active Directory
Active Directory
A set of directory-based technologies included in Windows Server.
5,995 questions
Windows 10 Security
Windows 10 Security
Windows 10: A Microsoft operating system that runs on personal computers and tablets.Security: The precautions taken to guard against crime, attack, sabotage, espionage, or another threat.
2,780 questions
Windows Server Security
Windows Server Security
Windows Server: A family of Microsoft server operating systems that support enterprise-level management, data storage, applications, and communications.Security: The precautions taken to guard against crime, attack, sabotage, espionage, or another threat.
1,746 questions
Windows Server PowerShell
Windows Server PowerShell
Windows Server: A family of Microsoft server operating systems that support enterprise-level management, data storage, applications, and communications.PowerShell: A family of Microsoft task automation and configuration management frameworks consisting of a command-line shell and associated scripting language.
5,407 questions
PowerShell
PowerShell
A family of Microsoft task automation and configuration management frameworks consisting of a command-line shell and associated scripting language.
2,162 questions
{count} votes

1 answer

Sort by: Most helpful
  1. Yanhong Liu 3,340 Reputation points Microsoft Vendor
    2024-04-19T06:01:42.2733333+00:00

    Hello,

    Thank you for posting in Q&A forum.

    If you want to confirm that any computers domain-wide are still using NTLM v1, you can edit the default domain policy on the domain controller. The default domain policy is a predefined Group Policy Object (GPO) that applies to all computers and users throughout the domain. You no longer need to enable these group policies individually for all Windows servers and workstations in the AD domain.

    In Group Policy Editor, navigate to the Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options path, and then configure the following policy:

    Network Security: LAN Manager Authentication Level: Set the authentication level to disable NTLMv1, such as "Send NTLMv2 response only, deny LM & NTLM". When a client or service trying to use NTLMv1 is rejected, the system logs relevant events (such as event ID 4625, login failed) and mentions in the event details that the reason for the authentication failure is related to NTLMv1. By analyzing these failed login events, you can identify which clients or services are still trying to use NTLMv1.

    Also navigate to Computer Configuration\Windows Settings\Security Settings\Local Policies\Audit Policies

    Audit: Audit login events: set to "success" and "failure". When this setting is enabled, the system logs login events for successful or failed attempts, including login attempts using NTLMv1.

    I hope the information above is helpful.

    Best Regards,

    Yanhong Liu

    ============================================

    If the Answer is helpful, please click "Accept Answer" and upvote it.