Auditing and restricting NTLM usage guide
Updated: November 9, 2012
Applies To: Windows 7, Windows 8, Windows Server 2008 R2, Windows Server 2012
This guide for the IT professional introduces the steps required to reduce NTLM usage in your environment by using available tools and the restrict NTLM audit and blocking policies, which were introduced in the Windows Server 2008 R2 and Windows 7 operating systems.
With the advent of more secure authentication protocols, such as Kerberos, industry requests for the ability to better manage the NTLM protocol in their environments have increased. Reducing the usage of the NTLM protocol in an IT environment requires both the knowledge of deployed application requirements on NTLM and the strategies and steps necessary to configure computing environments to use other protocols. New tools and settings have been added to help you discover how NTLM is used in order to selectively restrict NTLM traffic.
This guide only addresses how to collect and analyze events by using functionality found in the Windows operating environment. It does not cover the use of event collection and analysis systems, for example Microsoft System Center.
This guide contains the following sections:
About NTLM usage in your environment
This topic describes the NTLM authentication protocol, how it is used in Windows environments, and supported scenarios for restricting NTLM in a domain.
This topic describes how to implement specific Group Policies and security policies that allow you to access NTLM traffic between client computers, remote servers, member servers, and domain controllers, and it describes ways in which you can evaluate your environment to prepare for NTLM reduction.
This topic describes how to implement specific Group Policies and security policies that allow you to restrict NTLM traffic between client computers, member servers, and domain controllers.
This topic lists additional documentation about NTLM authentication traffic assessing and restriction information, including security policy settings and Microsoft Support articles.
TechNet offers the ability to selectively collect and print web pages of your choosing that are published in the TechNet Libraries. To select pages, click the “collection” icon on the page of any topic, select Print Multiple Topics, and follow the Help instructions.
Revisions to guidance
|Date||Item and description|
November 29, 2012