We are wanting to turn on NTLM authentication auditing to gather further details on some clients trying to authenticate using NTLM to the domain/DCs. Specifically we want to enable:
- Network security: Restrict NTLM: Audit NTLM authentication in this domain
- Network security: Restrict NTLM: Audit Incoming NTLM Traffic
I've found the following articles related to it:
https://technet.microsoft.com/en-us/library/jj852254(v=ws.11).aspx
https://support.symantec.com/en_US/article.HOWTO79508.html
The articles seem to overlap a little and somewhat oppose each other on where to apply these policies. The Technet article itself doesn't state any specifics on where to create/apply the GPO.
So my question is:
Where exactly should I enable these policies? Default Domain Controller Policy? New Audit Policy applied at the domain level? New Audit Policy applied at the Domain Controller OU?
Best Answer
You need to cover both the DCs and member servers. I do separate ones, as some of the settings are meaningful only to the DCs. Keep in mind that the DCs don't just process the auth's, they can also be clients or servers for NTLM, via SMB for instance.
See the configurations section here: https://technet.microsoft.com/en-us/library/jj865682(v=ws.10).aspx