NTLM is Microsoft’s old mythological authentication protocol. Although new and better authentication protocol has already been developed, NTLM is still very much in use. Basically, even the most recent Windows versions support NTLM and even Active Directory is required for default NTLM implementation. NTLM protocol has proven to have many flaws that result in potential vulnerabilities. Our main conclusion from this situation is that the best way to protect your organization from NTLM vulnerabilities is in fact, not to use it!
Although this may be the ideal situation, it is far from reality. One caution measure that can be taken is auditing and logging any NTLM traffic events.
This policy setting allows you to audit incoming NTLM traffic.
This policy is supported on at least Windows 7 or Windows Server 2008 R2.
Note: Audit events are recorded on this computer in the “Operational” Log located under the Applications and Services Log/Microsoft/Windows/NTLM.
NTLM is a Microsoft-developed authentication protocol that uses a challenge-response mechanism for authentication, in which client computers can prove their identities without sending a password to the server. The protocol employs three types of messages to negotiate the request, challenge the authenticity of the sender, and perform the authentication. Kerberos is a more robust protocol and is the preferred method of authentication when available.
When you need to audit NTLM use configure Network Security: Restrict NTLM: Audit Incoming NTLM Traffic to “Enable auditing for domain accounts” or “Enable auditing for all accounts” as appropriate for your environment.
If you select “Disable”, or do not configure this policy setting, the server will not log events for incoming NTLM traffic.
If you select “Enable auditing for domain accounts”, the server will log events for NTLM pass-through authentication requests that would be blocked when the “Network Security: Restrict NTLM: Incoming NTLM traffic” policy setting is set to the “Deny all domain accounts” option.
If you select “Enable auditing for all accounts”, the server will log events for all NTLM authentication requests that would be blocked when the “Network Security: Restrict NTLM: Incoming NTLM traffic” policy setting is set to the “Deny all accounts” option.
CALCOM’S RECOMMENDED VALUE:
Enable auditing for all accounts
HOW TO CONFIGURE THE SECURITY EVENT LOG:
1. Login to the Domain Controller box.
2. Open a command-line prompt and type in:
3. Now you should see the Group Policy Management screen open up. See Screenshot. Expand the Forest>Domains until you get to the “Default Domain Policy”.
4. Highlight the “Default Domain Policy” and right-click on the mouse button. Then click on “Edit”.
5. Now you should have the Group Policy Management Editor screen open for the Default Domain Policy. Now drill down to the Security Options (See screenshot) and then on the right scroll to what is highlighted in red with red arrows.
6. Now change the Policy Setting for the three that are highlighted in red in the above screenshot to look like this.
Network security: Restrict NTLM: Audit Incoming Traffic = Enable auditing for all accounts
AUTOMATE YOUR SERVER HARDENING:
Server hardening can be a painful procedure. If you’re reading this article, you probably already know it. Endless hours, labor and money are invested in this process, which can often result in production breakdown despite the effort to prevent it. CSH by CalCom is automating the entire server hardening process. CHS’s unique ability to ‘learn’ your network abolishes the need to perform lab testing while ensuring zero outages to your production environment. CHS will allow you to implement your policy directly on your production hassle-free. want to know more?