how to enable , monitor audit legacy protocols in Win2012 R2 Domain Controller

Question

I intend to move DC from Windows 2012 R2 to 2022. So I would like to monitor all legacy protocol currents via clients and applications. Please advise on which protocols should be monitored, how to configure audit logs, and which event IDs to verify.

1. SMB1
2. NTLM
3. LDAP
4. RC4 , DES, etc.
5. SSL and TLS 1.0, 1.1

6. ---

Answer 1

This is quite a tough question. Well...

For a domain controller migration from 2012 R2 to 2022, the critical legacy protocols to monitor are SMB1, NTLM, LDAP with simple binds, weak Kerberos ciphers (RC4, DES), and deprecated SSL/TLS versions (1.0, 1.1).

On Windows Server 2022, you should enable Advanced Audit Policy Configuration under Security Settings > Advanced Audit Policy Configuration > System Audit Policies. Specifically, configure “Logon/Logoff” and “Authentication Policy Change” categories. NTLM usage is logged under Event ID 4624/4625 (Logon attempts) and 4776 (NTLM authentication). LDAP simple binds over cleartext can be tracked via Event ID 2889. Kerberos cipher usage is visible in Event ID 4769 (Service ticket requests) where the “Ticket Encryption Type” field indicates RC4, DES, or AES. SMB1 connections can be monitored by enabling auditing through HKLM\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters with AuditSmb1Access set to 1, which logs Event ID 3000 in the SMBServer log. Deprecated TLS/SSL usage requires Schannel logging, enabled via registry key HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\EventLogging set to 1, producing events under the System log with source “Schannel.”

In practice, you’ll want to centralize these logs into your SIEM before decommissioning the 2012 R2 DC, so you can baseline which clients and applications still rely on legacy protocols. This will give you visibility into what must be remediated before enforcing modern defaults on 2022.