You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: support/windows-server/windows-security/audit-domain-controller-ntlmv1.md
+10-10Lines changed: 10 additions & 10 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -14,23 +14,23 @@ appliesto:
14
14
---
15
15
# Audit use of NTLMv1 on a Windows Server-based domain controller
16
16
17
-
This article introduces the steps to test any application that's using NT LAN Manager (NTLM) version 1 on a Microsoft Windows Server-based domain controller.
18
-
19
17
_Original KB number:_ 4090105
20
18
21
19
## Summary
22
20
21
+
This article introduces the steps to test any application that's using NT LAN Manager (NTLM) version 1 on a Microsoft Windows Server-based domain controller (DC).
22
+
23
23
[!INCLUDE [Registry important alert](../../../includes/registry-important-alert.md)]
24
24
25
-
Consider using this test before setting computers to only use NTLMv2. To configure the computer to only use NTLMv2, set **LMCompatibilityLevel** to **5** under the `HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa`key on the domain controller.
25
+
Consider using this test before setting computers to only use NTLMv2. To configure the computer to only use NTLMv2, set `LMCompatibilityLevel` to **5** under the `HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa`subkey on the DC.
26
26
27
-
Microsoft has deprecated NTLM as a whole as of June 2024. For more information, see [Deprecated Features](/windows/whats-new/deprecated-features#deprecated-features). You can use the options discussed in [Removing NTLMv1, new audit event for use of NTLM](https://support.microsoft.com/topic/upcoming-changes-to-ntlmv1-in-windows-11-version-24h2-and-windows-server-2025-c0554217-cdbc-420f-b47c-e02b2db49b2e) to audit the use of any version of NTLM.
27
+
Microsoft deprecated NTLM as a whole as of June 2024. For more information, see [Deprecated Features](/windows/whats-new/deprecated-features#deprecated-features). You can use the options discussed in [Removing NTLMv1, new audit event for use of NTLM](https://support.microsoft.com/topic/upcoming-changes-to-ntlmv1-in-windows-11-version-24h2-and-windows-server-2025-c0554217-cdbc-420f-b47c-e02b2db49b2e) to audit the use of any version of NTLM.
28
28
29
29
## NTLM auditing
30
30
31
-
To find applications that use NTLMv1, enable Logon Success Auditing on the domain controller, and then look for Success auditing Event 4624, which contains information about the version of NTLM.
31
+
To find applications that use NTLMv1, enable Logon Success Auditing on the DC. Then review the event log on the DC for Success auditing Event ID 4624, which contains information about the version of NTLM.
32
32
33
-
You will receive event logs that resemble the following ones:
33
+
The text of Event ID 4624 resembles the following example:
34
34
35
35
```output
36
36
Sample Event ID: 4624
@@ -73,14 +73,14 @@ Key Length: 128
73
73
74
74
## More information
75
75
76
-
This logon in the event log doesn't use NTLMv1 session security. There's actually no session security, because no key material exists.
76
+
The sign-in (logon) operation that the event records doesn't use NTLMv1 session security. There's actually no session security, because no key material exists.
77
77
78
-
The logic of the NTLM Auditing is that it will log NTLMv2-level authentication when it finds NTLMv2 key material on the logon session. It logs NTLMv1 in all other cases, which include anonymous sessions. Therefore, our general recommendation is to ignore the event for security protocol usage information when the event is logged for **ANONYMOUS LOGON**.
78
+
The logic of the NTLM Auditing is that it logs NTLMv2-level authentication when it finds NTLMv2 key material on the sign-in session. It logs NTLMv1 in all other cases, which include anonymous sessions. Therefore, our general recommendation is to ignore the event for security protocol usage information when the event is logged for **ANONYMOUS LOGON**.
79
79
80
-
Common sources of anonymous logon sessions are:
80
+
Common sources of anonymous logon sessions include the following applications and services:
81
81
82
82
-[Computer Browser Service](/previous-versions/windows/it-pro/windows-server-2003/cc778351(v=ws.10)): It's a legacy service from Windows 2000 and earlier versions of Windows. The service provides lists of computers and domains on the network. The service runs in the background. However, today this data is no longer used. We recommend that you disable this service across the enterprise.
83
83
84
84
- SID-Name mapping: It can use anonymous sessions. See [Network access: Allow anonymous SID/Name translation](/windows/security/threat-protection/security-policy-settings/network-access-allow-anonymous-sidname-translation). We recommend that you require authentication for this functionality.
85
85
86
-
- Client applications that don't authenticate: The application server may still create a logon session as anonymous. It's also done when there are empty strings passed for user name and password in NTLM authentication.
86
+
- Client applications that don't authenticate: The application server might still create a logon session as an anonymous user. Similarly, it might create an anonymous session if it uses NTLM authentication together with empty user name and password strings.
0 commit comments