Windows 2008 r2 domain ntlm

Reducing and eliminating NTLM authentication from your environment forces the Windows operating system to use more secure protocols, such as the Kerberos version 5 protocol, or different authentication mechanisms, such as smart cards.

Malicious attacks on NTLM authentication traffic resulting in a compromised server or domain controller can occur only if the server or domain controller handles NTLM requests. If those requests are denied, this attack vector is eliminated. When it has been determined that the NTLM authentication protocol should not be used within a network because you are required to use a more secure protocol such as the Kerberos protocol, then you can select one of several options that this security policy setting offers to restrict NTLM usage within the domain.

If you configure this policy setting, numerous NTLM authentication requests could fail within the domain, which could degrade productivity. Before implementing this change through this policy setting, set Network security: Restrict NTLM: Audit NTLM authentication in this domain to the same option so that you can review the log for the potential impact, perform an analysis of servers, and create an exception list of servers to exclude from this policy setting by using Network security: Restrict NTLM: Add server exceptions in this domain.

Skip to main content. This policy setting determines which challenge or response authentication protocol is used for network logons. LAN Manager LM includes client computer and server software from Microsoft that allows users to link personal computers together on a single network.

Network capabilities include transparent file and print sharing, user security features, and network administration tools.

In Active Directory domains, the Kerberos protocol is the default authentication protocol. This choice affects the authentication protocol level that clients use, the session security level that the computers negotiate, and the authentication level that servers accept. The following table identifies the policy settings, describes the setting, and identifies the security level used in the corresponding registry setting if you choose to use the registry to control this setting instead of the policy setting.

The following table lists the actual and effective default values for this policy. Steps to enable audit logging policies using GPO 1. Then take Security Settings and select Local Policie. And set its value to Enable all. Go to Services Logs 2. The policy has 5 options: a. Disable: the policy is disabled NTLM authentication is allowed in the domain b. Deny all: the domain controllers block all NTLM requests for all domain servers and accounts. Submit a Comment Cancel reply Your email address will not be published.

Search for:. Spend time on your business, not on your servers. Latest Server Management. Bobcares uses cookies. Privacy Preferences I Agree. Privacy Policy Required. By using this site, you agree to our Privacy Policy. Cookies Used Required. Remove From My Forums. Answered by:. Archived Forums. Group Policy. Sign in to vote. Friday, May 1, AM. Hi, I agree with Don.