Just seeking some guidance on NTLM auditing. We are running Server 2019 at the latest domain and forest functional levels
I am just seeking some clarity around auditing NTLM traffic by GPO.
Which settings should be applied to the Domain Controllers only?
And which should only be applied to member servers and workstations?
I've come across a few articles which are confusing me.
This one says put the settings in the default domain policy:
https://knowledge.broadcom.com/external/article?legacyId=HOWTO79508
This article says the following:
https://docs.microsoft.com/en-us/archive/blogs/askds/ntlm-blocking-and-you-application-analysis-and-auditing-methodologies-in-windows-7
Network security: Restrict NTLM: Outgoing NTLM traffic to remote servers = Audit All
Network security: Restrict NTLM: Audit NTLM authentication in this domain = Enable all
Network security: Restrict NTLM: Audit Incoming NTLM Traffic = Enable auditing for all accounts
Note: Configure "Audit NTLM authentication in this domain" on DC's only. Configure "Outgoing NTLM traffic to remote servers" and "Audit Incoming NTLM Traffic" on all computers.
And this one just mentions applying specific auditing to DCs only:
https://adsecurity.org/?p=3377
I guess i am just seeking some clarification.