๐ Secure Bits ๐ก
๐๐ผ๐ ๐๐ผ ๐๐ฟ๐ฎ๐ฐ๐ธ ๐ก๐ง๐๐ ๐๐๐ฎ๐ด๐ฒ ๐ฏ๐ฒ๐ณ๐ผ๐ฟ๐ฒ ๐ฒ๐ป๐ณ๐ผ๐ฟ๐ฐ๐ถ๐ป๐ด/๐ฑ๐ถ๐๐ฎ๐ฏ๐น๐ถ๐ป๐ด ๐ถ๐?
NTLM is a legacy protocol thatโs still hanging around in many environments โ and itโs a ๐ฝ๐ผ๐ฝ๐๐น๐ฎ๐ฟ ๐๐ฎ๐ฟ๐ด๐ฒ๐ ๐ณ๐ผ๐ฟ ๐ฎ๐๐๐ฎ๐ฐ๐ธ๐ฒ๐ฟ๐. But enforcing strict NTLM restrictions without auditing first? ๐ง๐ต๐ฎ๐โ๐ ๐ฎ ๐ฟ๐ฒ๐ฐ๐ถ๐ฝ๐ฒ ๐ณ๐ผ๐ฟ ๐ผ๐๐๐ฎ๐ด๐ฒ๐.
๐๐ฒ๐ฟ๐ฒโ๐ ๐ต๐ผ๐ ๐๐ผ ๐ฝ๐ฟ๐ผ๐ฐ๐ฒ๐ฒ๐ฑ ๐๐ต๐ฒ ๐ฟ๐ถ๐ด๐ต๐ ๐๐ฎ๐:
๐ย ย ๐ข๐ฝ๐๐ถ๐ผ๐ปย ๐ญ: ๐๐ป๐ฎ๐ฏ๐น๐ฒ ๐ก๐ง๐๐ ๐๐๐ฑ๐ถ๐๐ถ๐ป๐ด
Use these GPOs to track NTLM on the Domain Controller side:
Security Settings\Local Policies\Security Options\
โ Network security: Restrict NTLM: Audit incoming NTLM traffic
โ Network security: Restrict NTLM: Audit NTLM authentication in this domain
โ These give you Event IDs:ย ๐ด๐ฌ๐ฌ๐ฎ, ๐ด๐ฌ๐ฌ๐ฏ, ๐ฎ๐ป๐ฑ ๐ด๐ฌ๐ฌ๐ฐ. This way you can track NTLM through your domain controllers – no need to collect 4624 on every device.
โ ๏ธ ๐๐ฟ๐ฎ๐๐ฏ๐ฎ๐ฐ๐ธ:ย They donโt show ๐๐ต๐ถ๐ฐ๐ต ๐ก๐ง๐๐ ๐๐ฒ๐ฟ๐๐ถ๐ผ๐ปย is used โ so theyโre great for auditing overall NTLM usage, but not ideal for enforcingย NTLMv2 only.
๐ย ๐ข๐ฝ๐๐ถ๐ผ๐ป ๐ฎ: ๐๐ผ๐น๐น๐ฒ๐ฐ๐ ๐ฐ๐ฒ๐ฎ๐ฐ ๐๐ผ๐ด๐ ๐ผ๐ป ๐ฎ๐น๐น ๐ฑ๐ฒ๐๐ถ๐ฐ๐ฒ๐
Event IDย 4624ย logs on the machine where the user authenticates โ thisย doesย ๐ถ๐ป๐ฐ๐น๐๐ฑ๐ฒ ๐๐ต๐ฒ ๐ก๐ง๐๐ ๐๐ฒ๐ฟ๐๐ถ๐ผ๐ป and it tells you if NTLMv1 or v2 was used โ great for planning phased enforcement.
Pair this with Event IDย 4776ย on DCs (less useful alone), and youโll get the full picture.
๐ย ๐ข๐ฝ๐๐ถ๐ผ๐ป ๐ฏ: ๐ช๐ฎ๐๐ฐ๐ต ๐ณ๐ผ๐ฟ ๐๐ป๐ต๐ฎ๐ป๐ฐ๐ฒ๐ฑ ๐ก๐ง๐๐ ๐๐๐ฑ๐ถ๐๐ถ๐ป๐ด (๐๐ผ๐บ๐ถ๐ป๐ด ๐ฆ๐ผ๐ผ๐ป)
A new NTLM auditing mode is on the way inย Windows 11 24H2ย andย Windows Server 2025.
This will finally logย who,ย why, andย whereย โ ๐ฑ๐ถ๐ฟ๐ฒ๐ฐ๐๐น๐ ๐ผ๐ป ๐๐ผ๐บ๐ฎ๐ถ๐ป ๐๐ผ๐ป๐๐ฟ๐ผ๐น๐น๐ฒ๐ฟ๐ โ ๐ฎ๐ป๐ฑ ๐ฒ๐๐ฒ๐ป ๐๐ต๐ผ๐ ๐๐ต๐ฒ ๐ก๐ง๐๐ ๐๐ฒ๐ฟ๐๐ถ๐ผ๐ป. ๐ฏ
Itโs not fully rolled out yet, but GPO options are already appearing.
๐ง ๐ง๐ฎ๐ธ๐ฒ๐ฎ๐๐ฎ๐:
โ Start with auditing.
โ Find whatโs still using NTLM, identify NTLMv1 accounts, andย phase outย usage safely.
๐ฌ Are you planning to enforce NTLMv2 or eliminate NTLM entirely?
