How to audit use of NTLMv1 on a Windows Server-based domain controller

Applies to: Windows Server 2008 R2 EnterpriseWindows Server 2016Windows Server 2012 R2 Standard More

Summary


This article introduces the steps to test any application that is using NT LAN Manager (NTLM) version 1 on a Windows Server-based domain controller.

You may do this test before setting computers to only use NTLMv2. To configure the computer to only use NTLMv2, set LMCompatibilityLevel to 5 under the HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa key on the domain controller.

NTLM Auditing


To find applications that use NTLMv1, enable Logon Success Auditing on the domain controller, and then look for Success auditing Event 4624, which contains information about the version of NTLM.

You will receive event logs that resemble the following:

More Information


This logon in the event log does not really use NTLMv1 session security. There is actually no session security, because no key material exists.

The logic of the NTLM Auditing is that it will log NTLMv2-level authentication when it finds NTLMv2 key material on the logon session. It logs NTLMv1 in all other cases, which include anonymous sessions. Therefore, our general recommendation is to ignore the event for security protocol usage information when the event is logged for "ANONYMOUS LOGON".

Common sources of anonymous logon sessions are:

  • Computer Browser Service: This is a legacy service from Windows 2000 and earlier versions of Windows. The service provides lists of computers and domains on the network. The service runs in the background. However, today this data is no longer used. We recommend that you disable this service across the enterprise.
  • SID-Name mapping: It can use anonymous sessions. See Network access: Allow anonymous SID/Name translation. We recommend that you require authentication for this functionality.
  • Client applications that do not authenticate: The application server may still create a logon session as anonymous. This is also done when there are empty strings passed for user name and password in NTLM authentication.