Note
Access to this page requires authorization. You can try signing in or changing directories.
Access to this page requires authorization. You can try changing directories.
Original KB number: 4090105
Summary
This article describes how to audit NTLMv1 authentication on Windows Server domain controllers (DCs). Use this information to identify applications and services that still use NTLMv1 before you disable NTLMv1 in your environment.
NTLMv1 is a legacy authentication protocol that Microsoft deprecated in June 2024. For more information, see Deprecated Features.
To maintain security, identify any remaining NTLMv1 usage, and migrate applications to use modern authentication protocols. To audit the use of any version of NTLM, use the methods that are described in this article and in Removing NTLMv1, new audit event for use of NTLM.
NTLM auditing
To find applications that use NTLMv1, enable Logon Success Auditing on the DC. Then, review the event log on the DC for Success auditing Event ID 4624. This log entry contains information about the version of NTLM.
The text of Event ID 4624 resembles the following example:
Sample Event ID: 4624
Source: Microsoft-Windows-Security-Auditing
Event ID: 4624
Task Category: Logon
Level: Information
Keywords: Audit Success
Description:
An account was successfully logged on.
Subject:
Security ID: NULL SID
Account Name: -
Account Domain: -
Logon ID: 0x0
Logon Type: 3
New Logon:
Security ID: ANONYMOUS LOGON
Account Name: ANONYMOUS LOGON
Account Domain: NT AUTHORITY
Logon ID: 0xa2226a
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x0
Process Name: -
Network Information:
Workstation Name: Workstation1
Source Network Address:\<ip address>
Source Port: 49194
Detailed Authentication Information:
Logon Process: NtLmSsp
Authentication Package: NTLM
Transited Services: -
Package Name (NTLM only): NTLM V1
Key Length: 128
Using NTLMv2 exclusively
Important
This section, method, or task contains steps that tell you how to modify the registry. However, serious problems might occur if you modify the registry incorrectly. Therefore, make sure that you follow these steps carefully. For protection, back up the registry before you modify it so that you can restore it if a problem occurs. For more information about how to back up and restore the registry, see How to back up and restore the registry in Windows.
To configure a DC to use only NTLMv2 for authentication, configure the following registry value on the DC:
- Subkey:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa - Entry:
LMCompatibilityLevel - Value: 5
For more information, see How to enable NTLM 2 authentication.
More information
The sign-in (logon) operation that Event ID 4624 describes doesn't use NTLMv1 session security. This operation actually has no session security because no key material exists.
The logic of NTLM Auditing is that it logs NTLMv2-level authentication when it finds NTLMv2 key material on the sign-in session. It logs NTLMv1 in all other cases, including anonymous sessions. Therefore, our general recommendation is to ignore the event for security protocol usage information if the event is logged for ANONYMOUS LOGON.
Common sources of anonymous logon sessions include the following applications and services:
Computer Browser Service: A legacy service from Windows 2000 and earlier versions of Windows. The service runs in the background and provides lists of computers and domains on the network. However, this data is no longer used. We recommend that you disable this service across the enterprise.
SID-Name mapping: A process that can use anonymous sessions. See Network access: Allow anonymous SID/Name translation. We recommend that you require authentication for this functionality.
Client applications that don't authenticate: The application server might still create a logon session as an anonymous user. Similarly, it might create an anonymous session if it uses NTLM authentication together with empty user name and password strings.