Thus, you have to detect all servers/applications that are using the legacy protocol.įor example, to search for all NTLMv1 authentication events on all domain controllers, you can use the following PowerShell script: This line shows, which protocol (LM, NTLMv1 or NTLMv2) has been used for authentication. Look at the value of Package Name (NTLM only). If there is NTLM in the Authentication Package value, than the NTLM protocol has been used to authenticate this user. Please note the information in the “ Detailed Authentication Information” section. You need to search for the events from the source Microsoft-Windows-Security-Auditing with the Event ID 4624 – “ An Account was successfully logged on“. You can analyze the events on each server or collect them to the central Windows Event Log Collector. In the same way enable the policy Network Security: Restrict NTLM: Audit Incoming NTLM Traffic and set its value to Enable auditing for domain accounts.Īfter enabling these policies, the events of using NTLM authentication appear in the Application and Services Logs-> Microsoft -> Windows -> NTLM section of the Event Viewer. In the Computer Configuration -> Windows Settings -> Security Settings -> Local Policies -> Security Options section, find and enable the Network Security: Restrict NTLM: Audit NTLM authentication in this domain policy and set its value to Enable all. To track accounts or apps that are using NTLM authentication, you can enable audit logging policies on all computers using GPO. How to Enable NTLM Authentication Audit Logging?īefore you can completely disable NTLM in your domain and switching to Kerberos, make sure that there are no apps left in the domain that require and use NTLM authentication. In this case, you will have to update or configure them in a special way to switch to Kerberos.
The main risk of disabling NTLM is the potential usage of legacy or incorrectly configured applications that can still use NTLM authentication.
NTLMv2 is a more secure authentication protocol, but it is much behind Kerberos in terms of security (although there are fewer vulnerabilities in NTLMv2 than in the NTLMv1, but there is still a chance of capturing and reusing data, as well as it doesn’t support mutual authentication).
If you have made sure that you are not using NTLMv1, you can go further and try to disable the NTLMv2. Don’t forget to apply this policy to your domain controllers.
0 kommentar(er)
