7,023 questions
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(278.4, 92%, 36%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EYL%3C/text%3E%3C/svg%3E)
Hello,
Thank you for posting in Q&A forum.
Event ID 4624 with the "ANONYMOUS LOGON" username and LogonType 3 (Network) generally indicates that an anonymous user is accessing a resource over the network. This doesn't necessarily mean that NTLMv1 or LM authentication is being used.
The official link is described below: Audit use of NTLMv1 on a domain controller - Windows Server | Microsoft Learn
The logic of the NTLM Auditing is that it will log NTLMv2-level authentication when it finds NTLMv2 key material on the logon session. It logs NTLMv1 in all other cases, which include anonymous sessions. Therefore, our general recommendation is to ignore the event for security protocol usage information when the event is logged for ANONYMOUS LOGON.
There are also two known scenarios where authentication actually uses NTLMv2, but NTLMv1 is reported in the event log. For example, you test with a Windows 7 client connecting to a file share on Windows Server 2008 R2. The network trace showed the authentication was actually using NTLMv2 but reporting NTLMv1 in the event log. Please refer to the following links: Audit event shows authentication package as NTLMv1 instead of NTLMv2 - Windows Server | Microsoft Learn
I hope the information above is helpful.
Best Regards,
Yanhong Liu
============================================
If the Answer is helpful, please click "Accept Answer" and upvote it.