Assessing NTLM usage

Updated: November 21, 2012

Applies To: Windows 7, Windows 8, Windows Server 2008 R2, Windows Server 2012

This topic describes the tasks you need to perform to assess NTLM usage in your environment as part of your effort to improve authentication security. Group Policies and security policies that were introduced in Windows Server 2008 R2 and Windows 7 allow you to assess NTLM traffic between client computers, remote servers, member servers, and domain controllers.

Discovering and auditing the current state of NTLM authentication traffic is necessary before you implement policies and practices to use improved authentication protocols, such as Kerberos. The NTLM authentication protocols (as used in the NTLM Security Support Provider) authenticate users and computers based on a challenge/response mechanism that proves to a server or domain controller that a user knows the password associated with an account. When the NTLM protocol is used, a resource server is used to verify the identity of a computer or user. Additionally, if the account is a domain account, the resource server must contact a domain authentication service on the domain controller for the computer's or user's account domain. If it is not a domain account, the authentication service must look up the computer or user account in the local account database whenever a new access token is needed.

The three points at which to intercept and audit NTLM usage are:

  • Outgoing traffic from a domain controller within a domain.

  • Any incoming traffic to a remote server on that remote server.

  • Incoming traffic to a remote server from a client computer.

NTLM usage assessment evaluation and project design tasks

Understanding where NTLM is used in your environment is an iterative process that requires thorough investigation and preparations of the target environment. These tasks are described in the following topics:

  • Evaluating your environment for NTLM reduction

    This topic describes how to form your goals and what conditions you need to evaluate in your IT environment in order to reduce the usage of NTLM.

  • Preparations for assessing NTLM usage

    This topic describes design and planning considerations you need to address when reducing NTLM usage in your environment, including computer naming conventions, audit collection mechanisms, performing root cause analysis, and preparing for continued monitoring.

Topics in this section

You will need to investigate the authentication traffic and applications that use NTLM as their only or default protocol. The following topics describe how to do this.

See Also


Auditing and restricting NTLM usage guide