Information
This policy setting allows auditing of NTLM authentication within the domain from the Domain Controller.
The recommended state for this setting is: Enable all
Note: This setting is specific to each Domain Controller and will only log authentications made to that Domain Controller.
Auditing and monitoring NTLM traffic can assist in identifying systems using this outdated authentication protocol, so they can be remediated to using a more secure protocol, such as Kerberos. The log information gathered can also assist in forensic investigations after a malicious attack.
NTLM and NTLMv2 authentication is vulnerable to various attacks, including SMB relay, man-in-the-middle, and brute force attacks. Reducing and eliminating NTLM authentication in an environment reduces the risk of an attacker gaining access to systems on the network.
Solution
To establish the recommended configuration via GP, set the following UI path to Enable all :
Computer Configuration\Policies\Windows Settings\Security Settings\Local Policies\Security Options\Network security: Restrict NTLM: Audit NTLM authentication in this domain
Impact:
The event log will contain information on NTLM authentication traffic made to that Domain Controller.