Windows OS Hub
  • Windows
    • Windows 11
    • Windows 10
    • Windows Server 2025
    • Windows Server 2022
    • Windows Server 2019
    • Windows Server 2016
  • Microsoft
    • Active Directory (AD DS)
    • Group Policies (GPOs)
    • Exchange Server
    • Azure and Microsoft 365
    • Microsoft Office
  • Virtualization
    • VMware
    • Hyper-V
    • Proxmox
  • PowerShell
  • Linux
  • Home
  • About

Windows OS Hub

  • Windows
    • Windows 11
    • Windows 10
    • Windows Server 2025
    • Windows Server 2022
    • Windows Server 2019
    • Windows Server 2016
  • Microsoft
    • Active Directory (AD DS)
    • Group Policies (GPOs)
    • Exchange Server
    • Azure and Microsoft 365
    • Microsoft Office
  • Virtualization
    • VMware
    • Hyper-V
    • Proxmox
  • PowerShell
  • Linux

 Windows OS Hub / Group Policies / How to Disable NTLM Authentication in Windows Domain

March 16, 2024

How to Disable NTLM Authentication in Windows Domain

NTLM (NT LAN Manager) is a legacy Microsoft authentication protocol that dates back to Windows NT. Although Microsoft introduced the more secure Kerberos authentication protocol back in Windows 2000, NTLM (mostly NTLMv2) is still widely used for authentication on Windows domain networks. In this article, we will look at how to disable the NTLMv1 and NTLMv2 protocols and switch to Kerberos in an Active Directory domain.

Contents:
  • How to Enable NTLM Authentication Audit Logging?
  • Configuring Active Directory to Force NTLMv2 via GPO
  • Restrict NTLM Completely and Use Kerberos Authentication in an AD

The key NTLMv1 problems:

  • weak encryption;
  • storing password hash in the memory of the LSA service, which can be extracted from Windows memory in plain text using various tools (such as Mimikatz) and used for further attacks using pass-the-has scripts;
  • the lack of mutual authentication between a server and a client, leading to data interception and unauthorized access to resources (some tools such as Responder can capture NTLM data sent over the network and use them to access the network resources);
  • and other vulnerabilities.

Some of these have been in the next version NTLMv2 which uses more secure encryption algorithms and allows to prevent of common NTLM attacks. NTLMv1 and LM authentication protocols are disabled by default starting with Windows 7 and Windows Server 2008 R2.

How to Enable NTLM Authentication Audit Logging?

Before completely disabling NTLM in a domain and switching to Kerberos, it is a good idea to ensure that there are no applications in the domain that require and use NTLM auth. There may be legacy devices or services on your network that still use NTLMv1 authentication instead of NTLMv2 (or Kerberos).

To track accounts or apps that use NTLM authentication, you can enable audit logging policies on all computers using GPO. Open the Default Domain Controller Policy, navigate to the Computer Configuration -> Windows Settings -> Security Settings -> Local Policies -> Security Options section, find and enable the Network Security: Restrict NTLM: Audit NTLM authentication in this domain policy and set its value to Enable all.

Network Security: Restrict NTLM: Audit NTLM authentication in this domain

In the same way, enable the following policies in the Default Domain Policy:

  • Network Security: Restrict NTLM: Audit Incoming NTLM Traffic – set its value to Enable auditing for domain accounts
  • Network security: Restrict NTLM: Outgoing NTLM traffic to remote servers: set Audit all

Network Security: Restrict NTLM: Audit Incoming NTLM Traffic

Once these policies are enabled, events related to the use of NTLM authentication will appear in the Application and Services Logs-> Microsoft -> Windows -> NTLM section of the Event Viewer.

You can analyze the events on each server or collect them from the central Windows Event Log Collector.

You need to search for the events from the source Microsoft-Windows-Security-Auditing with the Event ID 4624 – “An Account was successfully logged on“. Note the information in the “Detailed Authentication Information” section. If there is NTLM in the Authentication Package value, then the NTLM protocol was used to authenticate this user.

Look at the value of Package Name (NTLM only). This line shows which protocol (LM, NTLMv1, or NTLMv2) was used for authentication. So you need to identify any servers/applications that are using the legacy protocol.

eventid 4624 source Microsoft-Windows-Security-Auditing ntlm usage

Also, if NTLM is used for authentication instead of Kerberos, Event ID 4776 will appear in the log:

The computer attempted to validate the credentials for an account
Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0

For example, to search for all NTLMv1 authentication events on all domain controllers, you can use the following PowerShell script:

$ADDCs = Get-ADDomainController -filter
$Now = Get-Date
$Yesterday = $Now.AddDays(-1)
$NewOutputFile = "c:\Events\$($Yesterday.ToString('yyyyddMM'))_AD_NTLMv1_events.log"
function GetEvents($DC){
Write-Host "Searching log on " $DC.HostName
$Events = Get-EventLog "Security" -After $Yesterday.Date -Before $Now.Date -ComputerName $DC.HostName -Message "*NTLM V1*" -instanceid 4624
foreach($Event in $Events){
Write-Host $DC.HostName $Event.EventID $Event.TimeGenerated
Out-File -FilePath $NewOutputFile -InputObject "$($Event.EventID), $($Event.MachineName), $($Event.TimeGenerated), $($Event.ReplacementStrings),($Event.message)" -Append
}
}
foreach($DC in $ADDCs){GetEvents($DC)}

Once you have identified the users and applications that use NTLM in your domain, try switching them to use Kerberos (possibly using SPN). To use Kerberos authentication, some applications need to be slightly reconfigured (Kerberos Authentication in IIS, Configure different browsers for Kerberos authentication, Create a Keytab File Using Kerberos Auth). From my own experience, I see that even large commercial products are still using NTLM instead of Kerberos, some products require updates or configuration changes. The idea is to identify which applications use NTLM authentication, and now you have a way to identify that software and devices.

Small open-source products, old models of various network scanners (which store scans in shared network folders), some NAS devices and other old hardware, legacy software, and operating systems are likely to have authentication problems when NTLMv1 is disabled.

Those apps that cannot use Kerberos can be added to the exceptions. This allows them to use NTLM authentication even if it is disabled at the domain level. To do it, the Network security: Restrict NTLM: Add server exceptions for NTLM authentication in this domain policy is used. Add the names of the servers (NetBIOS names, IP addresses, or FQDN), on which NTLM authentication can be used, to the list of exceptions as well. Ideally, this exception list should be empty. You can use the wildcard character *.

GPO: Network security: Restrict NTLM: Add server exceptions for NTLM authentication in this domain

To use Kerberos authentication in an application, you must specify the DNS name of the server, instead of its IP address. If you specify an IP address when connecting to your resources, NTLM authentication will be used.

Configuring Active Directory to Force NTLMv2 via GPO

Before completely disabling NTLM in an AD domain, it is recommended that you first disable its more vulnerable version, NTLMv1. The domain administrator needs to make sure that their network does not allow the use of NTLM or LM for authentication, as in some cases an attacker can use special requests to get a response to an NTLM/LM request.

You can set the preferred authentication type using the domain GPO. Open the Group Policy Management Editor (gpmc.msc) and edit the Default Domain Controllers Policy. Go to the GPO section Computer Configurations -> Policies -> Windows Settings -> Security Settings -> Local Policies -> Security Options and find the policy Network Security: LAN Manager authentication level.

Network Security: LAN Manager authentication level - disable ntlm v1 and lm

There are 6 options to choose from in the policy settings::

  • Send LM & NTLM responses;
  • Send LM & NTLM responses – use NTLMv2 session security if negotiated;
  • Send NTLM response only;
  • Send NTLMv2 response only;
  • Send NTLMv2 response only. Refuse LM;
  • Send NTLMv2 response only. Refuse LM& NTLM.

The NTLM authentication options are listed in the order of their security improvement. By default, Windows 7 and later operating systems use the option Send NTLMv2 response only. If this option is enabled, client computers use NTLMv2 authentication, but AD domain controllers accept LM, NTLM, and NTLMv2 requests.

NTLMv2 can be used where the Kerberos protocol has failed and for some operations (for example, to authenticate local groups and accounts on the domain-joined computers) or in workgroups.

You can change the policy value to the most secure option 6 : “Send NTLMv2 response only. Refuse LM & NTLM”. This policy causes domain controllers to reject LM and NTLM requests as well.

You can also disable NTLMv1 through the registry. To do this, create a DWORD parameter with the name LmCompatibilityLevel with a value between 0 and 5 under the registry key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa. Value 5 corresponds to the policy option “Send NTLMv2 response only. Refuse LM NTLM”.

Make sure that the Network security: Do not store LAN Manager hash value on next password change policy is enabled in the same GPO section. It is enabled by default starting with Windows Vista / Windows Server 2008 and prevents the creation of an LM hash.

Network security: Do not store LAN Manager hash value on next password change

Once you have ensured that you are not using NTLMv1, you can go further and try to disable NTLMv2. NTLMv2 is a more secure authentication protocol but loses significantly to Kerberos in terms of security (although there are fewer vulnerabilities in NTLMv2 than in the NTLMv1, but there is still a chance of capturing and reusing data, as well as it doesn’t support mutual authentication).

The main risk of disabling NTLM is the potential use of legacy or misconfigured applications that may still be using NTLM authentication. If this is the case, they will need to be updated or specially configured to switch to Kerberos.

If you have a Remote Desktop Gateway server on your network, you will need to make an additional configuration to prevent clients from connecting using NTLMv1. Create a registry entry:

REG add "HKLM\Software\Microsoft\Windows NT\CurrentVersion\TerminalServerGateway\Config\Core" /v EnforceChannelBinding /t REG_DWORD /d 1 /f

Restrict NTLM Completely and Use Kerberos Authentication in an AD

To check how authentication works in different applications in a domain without using NTLM, you can add the accounts of the required users to the Protected Users domain group (it has been available since the Windows Server 2012 R2 release). Members of this security group can only authenticate using Kerberos (NTLM, Digest Authentication, or CredSSP are not allowed). This allows you to verify that Kerberos user authentication is working correctly in different apps.

Then you can completely disable NTLM on the Active Directory domain using the Network Security: Restrict NTLM: NTLM authentication in this domain policy.

The policy has 5 options:

  • Disable: the policy is disabled (NTLM authentication is allowed in the domain);
  • Deny for domain accounts to domain servers: the domain controllers reject NTLM authentication attempts for all servers under the domain accounts, and the “NTLM is blocked” error message is displayed;
  • Deny for domain accounts: the domain controllers are preventing NTLM authentication attempts for all domain accounts, and the “NTLM is blocked” error appears;
  • Deny for domain servers: NTLM authentication requests are denied for all servers unless the server name is on the exception list in the “Network security: Restrict NTLM: Add server exceptions for NTLM authentication in this domain” policy;
  • Deny all: the domain controllers block all NTLM requests for all domain servers and accounts.

GPO: Network Security: Restrict NTLM: NTLM authentication in this domain

Although NTLM is now disabled on the domain, it is still used to process local logins to computers (NTLM is always used for local user logons).

You can also disable incoming and outgoing NTLM traffic on domain computers using separate Default Domain Policy options:

  • Network security: Restrict NTLM: Incoming NTLM traffic = Deny all accounts
  • Network security: Restrict NTLM: Outgoing NTLM traffic to remote servers = Deny all

After enabling auditing, Event Viewer will also display EventID 6038 from the LsaSRV source when using NTLM for authentication:

Microsoft Windows Server has detected that NTLM authentication is presently being used between clients and this server. This event occurs once per boot of the server on the first time a client uses NTLM with this server.
NTLM is a weaker authentication mechanism. Please check:
Which applications are using NTLM authentication?
Are there configuration issues preventing the use of stronger authentication such as Kerberos authentication?
If NTLM must be supported, is Extended Protection configured?

eventid 6038 from lsasrv source: NTLM authentication is presently being used between clients and this server

You can check that Kerberos is used for user authentication with the command:

klist sessions

klist session - check authentication protocol used

This command shows that all users are Kerberos-authenticated (except the built-in local Administrator, who is always authenticated using NTLM).

If you are experiencing a lot of user account lockout events after disabling NTLM, take a close look at the events with ID 4771 (Kerberos pre-authentication failed). Check the Failure Code in the error description. This will indicate the reason and source of the lock.

To further improve Active Directory security, I recommend reading these articles:

  • Securing administrator accounts in Active Directory
  • How to Disable LLMNR and NetBIOS over TCP/IP?
15 comments
12
Facebook Twitter Google + Pinterest
Active DirectoryGroup PoliciesWindows 10Windows Server 2019
previous post
Group Policy Management in Active Directory
next post
Copy/Paste Not Working in Remote Desktop (RDP) Clipboard

Related Reading

Fix: Remote Desktop Licensing Mode is not Configured

August 24, 2023

Refresh AD Groups Membership without Reboot/Logoff

March 15, 2024

How to Find the Source of Account Lockouts...

March 12, 2024

How to Delete Old User Profiles in Windows

March 15, 2024

Configuring Windows Firewall Rules Using Group Policy

March 15, 2024

Allow Non-admin Users RDP Access to Windows Server

March 16, 2024

How to Allow Non-Admin User to Start/Stop Service...

March 15, 2024

Copy Files and Folders to User Computers via...

March 15, 2024

15 comments

Hardening settings for Domain Controllers - Original Network | IT Blog February 29, 2020 - 4:33 pm

[…] Event 4624 with data fields like “Authentication Package” and “Package name (NTLM only)” needs to be filtered. If you see something like NTLMV1 at Package Name. It shows you that there is an application still using NTLMv1. Disabling NTLM immediately can have broken an application. Make sure this is tested properly. […]

Reply
agus August 23, 2020 - 3:02 pm

i still counfuse to force workstation to use ntlmv2 or use kerberos, my office has been pentest and found backdoor from ntlmv1

Reply
Marcin March 9, 2021 - 1:34 pm

I think the last picture shows a wrong setting based on where it is placed, isn’t it?

Reply
Edward Burlakov November 7, 2022 - 3:35 pm

You are right completely! There musnt be word “Audi” in header on the last screenshot .

Reply
Eric May 6, 2021 - 1:49 am

Thanks for tips guys!

The correct registry key for “LMCompatibilityLevel” entry in Secpol.msc is:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa

Reply
admin May 6, 2021 - 6:00 am

Thanks for your clarification! I corrected the registry key in the article

Reply
Piosk October 19, 2021 - 7:53 am

I am confused . Which policy should I modify Default Domain or Default Domain Controller ?

Reply
admin October 26, 2021 - 11:17 am

Use the Default Domain Controllers Policy in order to restrict ntlm usage on DCs.

Reply
Jamie November 10, 2021 - 7:49 pm

I would like to suggest some different code to run against your domain to get the events around NTLM:
# must be run from a DC for the domain controllers you want to collect with the same credentials
# example enpro domain iad0dc05.enproindustries.com enproadmin10
# example login domain iad0dc06.login.enproindustries.com jl-admin
$ADDCs = Get-ADDomainController -filter *
$desktop = [Environment]::GetFolderPath(“Desktop”)
$Now = Get-Date
$Yesterday = $Now.AddDays(-1)
# 6 hours
$Query = @’

*[System[(EventID=4776 or EventID=4624) and TimeCreated[timediff(@SystemTime) <= 21600000]]]

‘@

$NewOutputFile = “$desktop\$($Yesterday.ToString(‘yyyyddMM’))_AD_NTLMv1_events.log”
function GetEvents($DC){
Write-Host “Searching log on ” $DC.HostName
#$Events = Get-EventLog “Security” -After $Yesterday.Date -Before $Now.Date -ComputerName $DC.HostName -Message “*V1*” -instanceid 4624
$Events2 = Get-WinEvent -ComputerName $DC.HostName -FilterXML $Query | Where {$_.Message -like “*V1*”}| Select TimeCreated, Id, MachineName,userID,message
foreach($Event in $Events2){
Write-Host $DC.HostName $Event.ID $Event.TimeCreated
# Out-File -FilePath $NewOutputFile -InputObject “$($Event.EventID), $($Event.MachineName), $($Event.TimeGenerated), $($Event.ReplacementStrings),($Event.message)” -Append
Out-File -FilePath $NewOutputFile -InputObject “$($Event.ID), $($Event.MachineName), $($Event.Timecreated), ($Event.message)” -Append
}
}
foreach($DC in $ADDCs){GetEvents($DC)}

In the Query I just added but have not tested yet this portion: EventID=4776 or

Reply
Jamie November 10, 2021 - 7:51 pm

Of course I left in some comments which should have probably not been included. Please remove these if you have the ability.

Reply
CRB February 15, 2022 - 4:47 pm

EventId 8002 en 8004 are probably a better choice to search the NTLM audit events. They have an own event box in eventviewer Microsoft > windows > NTLM

Reply
Silver April 23, 2024 - 4:58 am

Kerberos is typically enabled by default in Windows AD environment and is the preferred authentication protocol.

Reply
david January 3, 2025 - 9:48 pm

Best practice is to not edit the default policies. Instead create a new policy with the settings you want to change and in the OU, set the link order so the new policy is higher number than Default.

Reply
admin January 6, 2025 - 8:10 am

You are right, it is better to make the changes through a separate GPO rather than through the Default Policy.

Reply
Jakapong August 20, 2025 - 10:26 am

One of the best article! Thanks a lot!

Reply

Leave a Comment Cancel Reply

join us telegram channel https://t.me/woshub
Join WindowsHub Telegram channel to get the latest updates!

Recent Posts

  • How to Delete a Windows Service via CMD or PowerShell

    October 16, 2025
  • Resource Fair Sharing in Windows Server Remote Desktop Services (RDS)

    October 6, 2025
  • How to Disable (Enable) Credential Guard in Windows 11

    October 6, 2025
  • Wrong Network Profile on Windows Server after Reboot

    September 30, 2025
  • How to Get Windows 10 Extended Security Updates After End-Of-Life

    September 24, 2025
  • Blocking NTLM Connections on Windows 11 and Windows Server 2025

    September 23, 2025
  • Windows Stucks at ‘Getting Windows Ready, Don’t Turn Off Computer’

    September 15, 2025
  • Clean Up ETL Log Files in ProgramData

    September 9, 2025
  • Fix: Slow Startup of PowerShell Console and Scripts

    September 3, 2025
  • DPI Scaling and Font Size in RDP (RDS) Session

    August 27, 2025

Follow us

  • Facebook
  • Twitter
  • Telegram
Popular Posts
  • Configure Google Chrome Settings with Group Policy
  • Allow Non-admin Users RDP Access to Windows Server
  • How to Disable or Enable USB Drives in Windows using Group Policy
  • How to Find the Source of Account Lockouts in Active Directory
  • Get-ADComputer: Find Computer Properties in Active Directory with PowerShell
  • Adding Domain Users to the Local Administrators Group in Windows
  • Configure Windows LAPS (Local Administrator Passwords Solution) in AD
Footer Logo

@2014 - 2024 - Windows OS Hub. All about operating systems for sysadmins


Back To Top