Skip to Content.
Sympa Menu

ad-assurance - [AD-Assurance] RE: Detecting NTLM v1 vs. v2 in the event logs - Event 4624

Subject: Meeting the InCommon Assurance profile criteria using Active Directory

List archive

[AD-Assurance] RE: Detecting NTLM v1 vs. v2 in the event logs - Event 4624


Chronological Thread 
  • From: Brian Arkills <>
  • To: "" <>
  • Subject: [AD-Assurance] RE: Detecting NTLM v1 vs. v2 in the event logs - Event 4624
  • Date: Fri, 24 May 2013 17:04:39 +0000
  • Accept-language: en-US
  • Authentication-results: sfpop-ironport03.merit.edu; dkim=neutral (message not signed) header.i=none

Thanks for that, Jeff.

 

So if you've got WS2008R2 or better DCs, you'll have 4624 events with a clear indication of NTLMv1 when used. If you don't have DCs with that OS, then you have to resort to network captures to make that determination.

 

From: [mailto:] On Behalf Of Capehart,Jeffrey D
Sent: Friday, May 24, 2013 9:48 AM
To:
Subject: [AD-Assurance] Detecting NTLM v1 vs. v2 in the event logs - Event 4624

 

From

Ask the Directory Services Team

(Microsoft's official enterprise support blog for AD DS and more)

 

 

http://blogs.technet.com/b/askds/archive/2012/02/02/purging-old-nt-security-protocols.aspx

 

Today the troika of Dave, Jonathan, and Ned are here to help you discover which computers and applications are using NTLM V1 and LM security, regardless of your operating system. It’s safe to say that some people aren’t going to like our answers or how much work this entails, but that’s life; […]  Windows Server 2008 R2 NTLM auditing only shows you NTLM usage in general.

 

Windows Server 2008+security auditing can tell you about the NTLM version through the 4624 event that states a Package Name (NTLM only): NTLM V1 or Package Name (NTLM only): NTLM V2, but all prior operating systems cannot.

 

Comments:

Sam Y.

“If I understand this post correctly the only way to detect if NTLMV1 is in use is to use network captures whereas LM usage can be detected through the netlogon.log. Have I got that right or am I just confused?”

 

MSFT:

“Correct, unfortunately. We could not find any indicator of NTLMv1 in the netlogon log instrumentation. And we tried like the dickens...”

 

Ned, does event 4624 log LM authentication?  When I filter events with "Authentication Package" set to "NTLM", I see that "Package Name (NTLM only)" is either NTLM V1 or NTLM V2.

 

 

 

Jeff Capehart, CISA
IT Audit Manager
University of Florida - Office of Internal Audit
(352) 273-1882

http://oia.ufl.edu

 




Archive powered by MHonArc 2.6.16.

Top of Page