Evaluating your environment for NTLM reduction

Updated: November 21, 2012

Applies To: Windows 7, Windows 8, Windows Server 2008 R2, Windows Server 2012

This topic describes what you need to consider when evaluating your IT environment for reducing usage of NTLM using tools available introduced in Windows Server 2008 R2 andWindows 7.

In this topic

  • Identifying your goals for reducing NTLM usage

  • Determining the condition of your IT environment

Identifying your goals for reducing NTLM usage

IT environments can be complicated in both scope and architecture. The authentication protocols used are typically mixed based upon the applications and operating systems deployed. It is important to understand your goals and objectives when evaluating your IT environment for reducing NTLM authentication usage. Preparing for the project and implementing the plan can then be focused towards these goals.

Using the tools provided with the supported Windows operating systems can help you achieve many of your goals in reducing NTLM usage as described in the following list.

  • Upgrade operating systems

    Reducing NTLM in your environment might be accomplished as part of a larger project to migrate the operating systems to more current versions. You will need to investigate if the applications used will use the more advanced authentication methods or if they must continue to use NTLM.

  • Conform to applicable governmental or association regulations

    Your organization might be required to conform to current regulations or practices that exclude the use of NTLM for certain applications or in certain environments. You will need to determine what industry or government regulations need to be addressed, such as Sarbanes-Oxley, FFIEC, HIPAA, or others, and then identify in what areas you must eliminate NTLM usage.

  • Eliminate NTLM authentication

    You might determine that eliminating NTLM will meet all your other goals, and then you will have to prepare your environment for other authentication protocols in the long term, such as TLS/SSL or IPsec, while using the Kerberos version 5 protocol in the short term.

  • Identify and understand current NTLM usage

    You might determine that eliminating NTLM usage is either too costly or time consuming in the near term, but you still need to know how and where NTLM is being used. You can use this information for increased security monitoring and future planning.

  • Modify applications to use more advanced authentication protocols

    To mitigate modern security threats or conform to regulations, your primary goal might be to force existing applications to use the Kerberos v5 protocol instead of NTLM. Investigation into your organization’s application usage, lifecycle status and retirement schedules, and replacement plans will facilitate your plans in reducing NTLM usage.

Determining the condition of your IT environment

Assessing NTLM usage requires an understanding of the network and the Active Directory architecture, application usage, and infrastructure management elements, such as audit collection systems. Preparations for auditing NTLM usage will be more effective if you first address the following topics.

DNS and Naming Standards

The Domain Name System (DNS) structure in your organization impacts your preparations for accessing NTLM usage. You will need to understand how the fully qualified domain name (FQDN), which is returned in the audit, relates to server names and the hierarchical position of each server. This will also impact how you can structure the forest search order effectively. For detailed information about how DNS works, see DNS Architecture. To understand how DNS and Active Directory impact preparations for auditing NTLM usage, see “Designing computer naming conventions and the forest search orders” topic in Preparations for assessing NTLM usage.

  1. Is your DNS integrated with Active Directory and are both handled by the same operational part of your organization?

  2. How many DNS zones are there?

  3. Do client computers require DNS suffixes or are FQDNs used?

  4. What are the server naming conventions? Are the names based on location or role and is the naming convention rigorously followed?

Active Directory and Group Policy implementation

Active Directory forest and domain structure plays a significant role in your ability to understand your environment’s topology and naming conventions. It might also impact how you structure the collection of NTLM audit log events for evaluation and ongoing maintenance. The built-in policies used to evaluate and reduce NTLM usage are designed to be distributed through Group Policy, so you can leverage your existing Group Policy mechanism. In addition, your organization might already have in place policies that affect authentication protocol usage. To implement a successful NTLM usage reduction plan, investigate and document the following:

  1. What are the forest and domain functional levels?

  2. What are the schema levels for the domain controllers?

  3. For each domain, what is the Windows operating system version of the domain controllers?

  4. What is the Group Policy design? Will it be logical and efficient to use specific GPOs to distribute the auditing and to restrict security policy settings?

Network structure

Understanding your network infrastructure can help you understand how authentication traffic flows between client computers, member servers, and domain controllers. You should document all devices that restrict or alter the authentication traffic within your environment.

  1. What firewalls and other network filtering devices are in place for the domain controllers, member servers, and client computers in your environment?

  2. What hardware devices in your environment specify the use of NTLM? Can these devices be reconfigured to use Kerberos?

  3. What are your organization’s requirements for supporting client computers connecting from outside the corporate network? Identify the use of these client computers, such as home computers or corporate laptops, and identify how these devices connect, such as VPN, SSL VPN, or web publishing.

  4. What additional layers of protection are in place to secure sensitive data centers?

Operations infrastructure and event collection

Your organization might have operational standards that could impact how you plan for reducing NTLM in your environment. You should investigate each component of your operation infrastructure to make sure none of them will be adversely impacted by restricting NTLM. In addition, it is beneficial to investigate and analyze your organization’s tools and processes for security events collection. Your ability to make accurate assessments and develop those into effective plans is dependent upon your ability to collect and analyze NTLM usage data.

  1. What are the backup and restore standards and infrastructure?

  2. What are the system monitoring standards?

  3. What is the update management process?

  4. What are the security events collection standards and locations?

  5. Are tools in place to collect or forward authentication events to perform accurate analysis?

  6. What will the effort be to develop custom audit reports for NTLM and Kerberos authentication attempts?

Client computers

Understanding your network infrastructure can help you understand how authentication traffic flows between client computers, member servers, and domain controllers. Client computers will generate many of the NTLM authentication requests, and users of those same computers will generate most of the support calls if your project to reduce NTLM is improperly planned. After the network infrastructure is documented, accurately assessing authentication usage from your client computers will help your project succeed.

  1. Of the client operating systems in use, what are supported by your organization?

  2. Which client computers are joined to Active Directory?

  3. Do all users authenticate to Active Directory?

  4. Are there client computers and servers in workgroups in your organization?

  5. How are software packages and updates distributed to the client computers?


Your evaluation of your environment will include which applications can successfully use the Kerberos protocol and which cannot. For those that currently use NTLM, you must decide whether to modify or upgrade them to use more advanced authentication protocols or allow for their continued use unmodified.

  1. What server and client applications are supported?

  2. Which operating systems do they run on?

  3. Which of these applications currently use Kerberos authentication?

Test environments

Reducing the use of NTLM without proper testing can have a serious impact on productivity within your organization. Security policies were introduced in Windows Server 2008 R2 and Windows 7 that just audit the NTLM traffic as if the traffic was actually restricted. However, creating and using a testing environment to replicate your production environment will help mitigate errors in design and omissions in your investigation.

  1. Does the organization have any test systems in place?

  2. Do your test environments replicate your production environments?

  3. Are the same naming conventions followed?

  4. Are all applications available in the test environment?

  5. Are applications load balanced or clustered as in the production environment?

  6. Are the same event collection systems in production available in the test environment?

See Also


About NTLM usage in your environment