ad-assurance - [AD-Assurance] RE: Detecting NTLM v1 vs. v2 in the event logs - Event 4624
Subject: Meeting the InCommon Assurance profile criteria using Active Directory
List archive
- From: Ron Thielen <>
- To: "" <>
- Subject: [AD-Assurance] RE: Detecting NTLM v1 vs. v2 in the event logs - Event 4624
- Date: Fri, 24 May 2013 17:26:23 +0000
- Accept-language: en-US
- Authentication-results: sfpop-ironport04.merit.edu; dkim=neutral (message not signed) header.i=none
Just so you can have it to try if you like, here is the event 4624 power shell script that we run daily.
We have two domains, ad and ad.local.
Don’t ask why. I then run a Perl script that goes through these logs and identifies any Silver users in these logs and puts them in a “silver_deny” Grouper group to take away their Silver status. Ron # Script to gather and mail all NTLMv1 events within the past 24 hours Import-Module ActiveDirectory # assign array of all DCs in each domain $ADDCs = Get-ADDomainController -filter * -Server ad.uchicago.edu $ADLOCALDCs = Get-ADDomainController -filter * -Server ad.local $Now = Get-Date $Yesterday = $Now.AddDays(-1) $NewOutputFile = "c:\scripts\Events\$($Yesterday.ToString('yyyyMMdd'))_AD_NTLMv1_events.log" # Function to gather events from a DC and write out log function
GetEvents($DC){
if($DC.OperatingSystem.contains("2008")){
# Search 2008 DCs only
# Find events with specified Event IDs
Write-Host "Searching log on " $DC.HostName
$Events = Get-EventLog "Security" -After $Yesterday.Date -Before $Now.Date -ComputerName $DC.HostName -Message
"*V1*" -instanceid 4624
foreach($Event in $Events){
Write-Host $DC.HostName $Event.EventID $Event.TimeGenerated
Out-File -FilePath $NewOutputFile -InputObject "$($Event.EventID),$($Event.MachineName),$($Event.TimeGenerated),$($Event.ReplacementStrings),($Event.message)" -Append
# write event to log
}
} } # Send each DC to
GetEvents function foreach($DC
in $ADDCs){GetEvents($DC)} foreach($DC
in $ADLOCALDCs){GetEvents($DC)} From:
[mailto:] On Behalf Of Brian Arkills Thanks for that, Jeff. So if you've got WS2008R2 or better DCs, you'll have 4624 events with a clear indication of NTLMv1 when used. If you don't have DCs with that OS, then you have to resort to network captures to make that determination.
From:
[]
On Behalf Of Capehart,Jeffrey D From … Ask the Directory Services Team
(Microsoft's official enterprise support blog for AD DS and more) http://blogs.technet.com/b/askds/archive/2012/02/02/purging-old-nt-security-protocols.aspx Today the troika of
Dave,
Jonathan, and
Ned are here to help you discover which computers and applications are using NTLM V1 and LM security,
regardless of your operating system. It’s safe to say that some people aren’t going to like our answers or how much work this entails, but that’s life; […]
Windows Server 2008 R2 NTLM auditing only shows you NTLM usage in general. Windows Server 2008+security auditing can tell you about the NTLM version through the
4624 event that states a Package Name (NTLM only): NTLM V1 or Package Name (NTLM only): NTLM V2, but all prior operating systems cannot. Comments: Sam Y. “If I understand this post correctly the only way to detect if NTLMV1 is in use is to use network captures whereas LM usage can be detected through the netlogon.log. Have I got that right or am I just confused?” MSFT: “Correct, unfortunately. We could not find any indicator of NTLMv1 in the netlogon log instrumentation. And we tried like the dickens...” Ned, does event 4624 log LM authentication? When I filter events with "Authentication Package" set to "NTLM", I see that "Package Name (NTLM only)" is either NTLM V1 or NTLM V2. Jeff Capehart, CISA |
- [AD-Assurance] Detecting NTLM v1 vs. v2 in the event logs - Event 4624, Capehart,Jeffrey D, 05/24/2013
- [AD-Assurance] RE: Detecting NTLM v1 vs. v2 in the event logs - Event 4624, Brian Arkills, 05/24/2013
- [AD-Assurance] RE: Detecting NTLM v1 vs. v2 in the event logs - Event 4624, Ron Thielen, 05/24/2013
- [AD-Assurance] RE: Detecting NTLM v1 vs. v2 in the event logs - Event 4624, Eric Goodman, 05/24/2013
- [AD-Assurance] RE: Detecting NTLM v1 vs. v2 in the event logs - Event 4624, Ron Thielen, 05/24/2013
- [AD-Assurance] RE: Detecting NTLM v1 vs. v2 in the event logs - Event 4624, Brian Arkills, 05/24/2013
Archive powered by MHonArc 2.6.16.