Skip to Content.
Sympa Menu

ad-assurance - [AD-Assurance] Detecting NTLM v1 vs. v2 in the event logs - Event 4624

Subject: Meeting the InCommon Assurance profile criteria using Active Directory

List archive

[AD-Assurance] Detecting NTLM v1 vs. v2 in the event logs - Event 4624


Chronological Thread 
  • From: "Capehart,Jeffrey D" <>
  • To: "" <>
  • Subject: [AD-Assurance] Detecting NTLM v1 vs. v2 in the event logs - Event 4624
  • Date: Fri, 24 May 2013 16:47:43 +0000
  • Accept-language: en-US
  • Authentication-results: sfpop-ironport01.merit.edu; dkim=neutral (message not signed) header.i=none

From

Ask the Directory Services Team

(Microsoft's official enterprise support blog for AD DS and more)

 

 

http://blogs.technet.com/b/askds/archive/2012/02/02/purging-old-nt-security-protocols.aspx

 

Today the troika of Dave, Jonathan, and Ned are here to help you discover which computers and applications are using NTLM V1 and LM security, regardless of your operating system. It’s safe to say that some people aren’t going to like our answers or how much work this entails, but that’s life; […]  Windows Server 2008 R2 NTLM auditing only shows you NTLM usage in general.

 

Windows Server 2008+security auditing can tell you about the NTLM version through the 4624 event that states a Package Name (NTLM only): NTLM V1 or Package Name (NTLM only): NTLM V2, but all prior operating systems cannot.

 

Comments:

Sam Y.

“If I understand this post correctly the only way to detect if NTLMV1 is in use is to use network captures whereas LM usage can be detected through the netlogon.log. Have I got that right or am I just confused?”

 

MSFT:

“Correct, unfortunately. We could not find any indicator of NTLMv1 in the netlogon log instrumentation. And we tried like the dickens...”

 

Ned, does event 4624 log LM authentication?  When I filter events with "Authentication Package" set to "NTLM", I see that "Package Name (NTLM only)" is either NTLM V1 or NTLM V2.

 

 

 

Jeff Capehart, CISA
IT Audit Manager
University of Florida - Office of Internal Audit
(352) 273-1882

http://oia.ufl.edu

 




Archive powered by MHonArc 2.6.16.

Top of Page