question

NP-8916 avatar image
0 Votes"
NP-8916 asked Reza-Ameri answered

ntlm auditing gpo

Just seeking some guidance on NTLM auditing. We are running Server 2019 at the latest domain and forest functional levels

I am just seeking some clarity around auditing NTLM traffic by GPO.

Which settings should be applied to the Domain Controllers only?

And which should only be applied to member servers and workstations?

I've come across a few articles which are confusing me.

This one says put the settings in the default domain policy:

https://knowledge.broadcom.com/external/article?legacyId=HOWTO79508


This article says the following:
https://docs.microsoft.com/en-us/archive/blogs/askds/ntlm-blocking-and-you-application-analysis-and-auditing-methodologies-in-windows-7

Network security: Restrict NTLM: Outgoing NTLM traffic to remote servers = Audit All
Network security: Restrict NTLM: Audit NTLM authentication in this domain = Enable all
Network security: Restrict NTLM: Audit Incoming NTLM Traffic = Enable auditing for all accounts

 Note: Configure "Audit NTLM authentication in this domain" on DC's only. Configure "Outgoing NTLM traffic to remote servers" and "Audit Incoming NTLM Traffic" on all computers.


And this one just mentions applying specific auditing to DCs only:
https://adsecurity.org/?p=3377

I guess i am just seeking some clarification.

windows-serverwindows-active-directorywindows-group-policywindows-server-security
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

1 Answer

Reza-Ameri avatar image
0 Votes"
Reza-Ameri answered

The article from Microsoft is reliable since it is official.
However, you reference to the older article and new one is this one:
https://docs.microsoft.com/en-us/windows/security/threat-protection/security-policy-settings/network-security-restrict-ntlm-audit-ntlm-authentication-in-this-domain
It depends on your architecture you may do it in your main domain (especially those who required authentication).

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.