NTLM authentication auditing and restricting

Updated: November 29, 2012

Applies To: Windows 7, Windows 8 Enterprise, Windows Server 2003, Windows Server 2008, Windows Server 2008 R2, Windows Server 2012, Windows Vista, Windows XP

This collection topic for the IT professional provides guidance and resources to help you analyze and restrict NTLM authentication usage in your IT environment. This feature requires data gathering, analysis of NTLM traffic, and a methodical process with which to restrict the traffic so that stronger authentication protocols, such as the Kerberos protocol, will be used.

With the advent of more secure authentication protocols, the need to control the NTLM protocol within IT environments has increased. Reducing the usage of the NTLM protocol requires both knowledge of deployed application requirements on NTLM and strategies and steps necessary to configure infrastructures to use other protocols. New security policies and processes introduced in Windows 7 and Windows Server 2008 R2 allow you to analyze authentication traffic and selectively block it on the client, server, and domain level.

For more information about using strong authentication protocols in a Windows environment, see Windows Authentication.

For more information about the NTLM protocol, see Microsoft NTLM (Windows) in the MSDN library.

Auditing NTLM usage

The first step in restricting the NTLM protocol is understanding which computers and applications in your organization are using the NTLM protocol for authentication. You can find this information by enabling certain security policies for auditing on computers running at least Windows Server 2008 R2 and Windows 7. By reviewing the event logs, you can determine which applications can be configured to successfully use a stronger authentication protocol and also determine computers or domains that can function without the NTLM protocol.

The following Security Option settings can be configured to help you determine NTLM usage in your environment:

Restricting NTLM usage

New Group Policy settings introduced in Windows 7 and Windows Server 2008 R2 permit the restriction of NTLM protocol usage on clients, servers, and domain controllers. These policies can be configured on computers running at least Windows 7 and Windows Server 2008 R2, which can affect NTLM usage on computers running earlier versions of Windows.

The following Security Option settings can be configured to help you restrict NTLM usage in your environment.


These settings will cause applications and services that depend on NTLM to fail to authenticate. Before implementing any restrictions, first thoroughly audit NTLM usage and then test applications and services.

Resources for restricting NTLM authentication

Resource Description Source

Auditing and restricting NTLM usage guide

Describes the considerations and steps required to reduce NTLM usage in your environment by using available tools and the restrict NTLM audit and blocking policies in Windows Server 2012, Windows Server 2008 R2, Windows 8, and Windows 7.

TechNet Library

Extended Protection for Authentication Overview

Extended Protection for Authentication helps protect against man-in-the-middle (MITM) attacks, in which an attacker intercepts a client’s credentials and forwards them to a server.

MSDN Library (.NET Framework 3.5)

Microsoft Security Advisory (973811): Extended Protection for Authentication

This feature enhances the protection and handling of credentials when authenticating network connections by using Integrated Windows Authentication (IWA).

Security TechCenter (2009)

Integrated Windows Authentication with Extended Protection

Enhancements were made that affect how integrated Windows authentication is handled by the HttpWebRequest, HttpListener, SmtpClient, SslStream, NegotiateStream, and related classes in the System.Net and related namespaces. Support was added for extended protection to enhance security.

MSDN Library (.NET Framework 3.5)

SQL Server: Connect to the Database Engine Using Extended Protection

SQL Server supports Extended Protection beginning with SQL Server 2008 R2. Extended Protection for Authentication is a feature of the network components implemented by the operating system.

MSDN Library(SQL Server 2012)

NTLM user authentication in Windows

This article discusses the following aspects of NTLM user authentication in Windows: Password storage in the account database; User authentication by using the MSV1_0 authentication package; and Pass-through authentication.

Microsoft Knowledge Base (2006)

Extended Protection for Authentication

This security update modifies the Security Support Provider Interface (SSPI) to enhance the way Windows authentication works so that credentials are not easily forwarded when Integrated Windows Authentication (IWA) is enabled. When Extended Protection for Authentication is enabled, authentication requests are bound to both the service principal name (SPN) of the server the client tries to connect to and to the outer Transport Layer Security (TLS) channel over which the IWA authentication occurs. This is a base update that enables applications to opt in to the new feature.

Microsoft Knowledge Base (2009)