Share via

Auditing and restricting NTLM usage guide

Updated: November 9, 2012

Applies To: Windows 7, Windows 8, Windows Server 2008 R2, Windows Server 2012

This guide for the IT professional introduces the steps required to reduce NTLM usage in your environment by using available tools and the restrict NTLM audit and blocking policies, which were introduced in the Windows Server 2008 R2 and Windows 7 operating systems.

With the advent of more secure authentication protocols, such as Kerberos, industry requests for the ability to better manage the NTLM protocol in their environments have increased. Reducing the usage of the NTLM protocol in an IT environment requires both the knowledge of deployed application requirements on NTLM and the strategies and steps necessary to configure computing environments to use other protocols. New tools and settings have been added to help you discover how NTLM is used in order to selectively restrict NTLM traffic.

This guide only addresses how to collect and analyze events by using functionality found in the Windows operating environment. It does not cover the use of event collection and analysis systems, for example Microsoft System Center.

This guide contains the following sections:

  • About NTLM usage in your environment

    This topic describes the NTLM authentication protocol, how it is used in Windows environments, and supported scenarios for restricting NTLM in a domain.

  • Assessing NTLM usage

    This topic describes how to implement specific Group Policies and security policies that allow you to access NTLM traffic between client computers, remote servers, member servers, and domain controllers, and it describes ways in which you can evaluate your environment to prepare for NTLM reduction.

  • Restricting NTLM usage

    This topic describes how to implement specific Group Policies and security policies that allow you to restrict NTLM traffic between client computers, member servers, and domain controllers.

  • Additional resources for NTLM

    This topic lists additional documentation about NTLM authentication traffic assessing and restriction information, including security policy settings and Microsoft Support articles.


TechNet offers the ability to selectively collect and print web pages of your choosing that are published in the TechNet Libraries. To select pages, click the “collection” icon on the page of any topic, select Print Multiple Topics, and follow the Help instructions.

Revisions to guidance

Date Item and description

November 29, 2012

Initial publication

See Also


Additional resources for NTLM