PRACTITIONER GUIDE | IDENTITY SECURITY
Practitioner GuideUpdated 11 min read

NTLM Restriction and Auditing: How to Identify and Reduce NTLM in Your Active Directory Environment

NTLMv1 should be blocked everywhere
NTLMv1 uses DES encryption and can be cracked in minutes with modern hardware. No legitimate application requires NTLMv1 in a modern environment. Block it immediately via the LAN Manager authentication level Group Policy setting
LM compatibility level 5
is the recommended setting for the LAN Manager authentication level policy: 'Send NTLMv2 response only, refuse LM and NTLM.' This blocks NTLMv1 and LM responses while allowing NTLMv2 for applications that cannot use Kerberos. Level 3 is the default on modern Windows; levels 1 and 2 allow downgrade attacks
Event ID 8003
is generated on domain controllers when a machine makes an NTLM authentication request. It identifies: the client that used NTLM, the server being accessed, and the domain. This is the primary event for NTLM usage inventory during the audit phase
2 to 4 weeks
is the recommended NTLM audit period before any restriction. Applications may authenticate on varied schedules (monthly jobs, quarterly processes). Audit for at least 2 weeks to capture most NTLM usage patterns before configuring blocks

SponsoredRetool

Retool's new app builder is where AI-generated code ships safely

Building apps with AI is easy. Getting them to production safely is another story.

Start building for free today

Turning off NTLM without first auditing what uses it is how organizations break authentication for line-of-business applications and spend the next week rolling back. The correct process is: enable NTLM audit logging (generates no disruption), collect two weeks of Event 8003/8004 data, build an inventory of every NTLM-dependent application, plan remediations (fix the application to use Kerberos, or document the exception), then apply restrictions in stages. This project takes months but each stage reduces the NTLM relay and Pass-the-Hash attack surface.

Enable NTLM Audit Logging Without Breaking Anything

NTLM audit mode logs NTLM usage without blocking it. Enable it everywhere before making any restrictions.

Group Policy path (apply to domain root or all OUs): Computer Configuration > Windows Settings > Security Settings > Local Policies > Security Options

Setting: Network Security: Restrict NTLM: Audit NTLM authentication in this domain

  • Value: Enable all
  • This generates Event ID 8003 on DCs for every NTLM authentication through the domain

Setting: Network Security: Restrict NTLM: Audit Incoming NTLM Traffic

  • Value: Enable auditing for all accounts
  • This generates Event ID 8003 on member servers for incoming NTLM (useful for identifying NTLM-using services)

Setting: Network Security: Restrict NTLM: Audit NTLM authentication to servers in this domain

  • Value: Enable all
  • Generates Event ID 8004 on DCs for authentication to domain servers

Increase the Security event log size on DCs:

# Increase DC event log to capture two weeks of NTLM audit events
WevtUtil sl Security /ms:1073741824  # 1 GB maximum log size

Inventory NTLM Usage from Event Logs

After two weeks of audit logging, query for NTLM events to build your inventory:

# Query NTLM audit events from a single DC
Get-WinEvent -ComputerName dc01 -FilterHashtable @{
    LogName = 'Security'
    Id = @(8003, 8004)
    StartTime = (Get-Date).AddDays(-14)
} | ForEach-Object {
    [PSCustomObject]@{
        Time        = $_.TimeCreated
        EventID     = $_.Id
        Client      = $_.Properties[0].Value  # Machine making NTLM request
        Domain      = $_.Properties[1].Value
        Server      = $_.Properties[2].Value  # Target server
        PackageType = $_.Properties[3].Value  # NTLM version
    }
} | Group-Object Client, Server, PackageType | Sort-Object Count -Descending |
    Select-Object Count, Name |
    Export-Csv C:\NTLM-Audit.csv -NoTypeInformation

Analyze the output:

  • PackageType = NTLM V1: Immediate priority -- no modern app needs NTLMv1
  • PackageType = NTLM V2: Document the client/server pair -- this is what will break when you restrict
  • Client = a server (not a workstation): A server-to-server NTLM auth -- common for services with hardcoded credentials
  • Server = a domain controller: NTLM auth to a DC itself -- should almost always be Kerberos

Common sources of NTLM in enterprise environments:

  • Applications using Windows integrated auth with localhost as the target (Kerberos cannot be used for loopback; NTLM is used)
  • Applications connecting by IP address instead of hostname (Kerberos requires hostname for SPN lookup; IP triggers NTLM)
  • Old IIS applications using Windows Auth without SPN registration
  • SQL Server linked servers using Windows Auth without proper SPN configuration
  • Printers and scanners with NTLM authentication baked in
Free daily briefing

Briefings like this, every morning before 9am.

Threat intel, active CVEs, and campaign alerts, distilled for practitioners. 50,000+ subscribers. No noise.

Block NTLMv1 Immediately

NTLMv1 can be blocked without significant compatibility risk in modern environments.

Group Policy path: Computer Configuration > Windows Settings > Security Settings > Local Policies > Security Options

Setting: Network Security: LAN Manager authentication level

  • Value: Send NTLMv2 response only; refuse LM and NTLM
  • This is Level 5. It blocks NTLMv1 and LM authentication while allowing NTLMv2.
  • Apply to all computers in the domain via a GPO at the domain root

Check current setting:

# Check LM compatibility level on an endpoint
(Get-ItemProperty -Path 'HKLM:\SYSTEM\CurrentControlSet\Control\Lsa' -Name LmCompatibilityLevel).LmCompatibilityLevel
# 0 = LM and NTLMv1 allowed (extremely insecure)
# 3 = NTLMv2 only sent, LM and NTLMv1 accepted (Windows default before policy)
# 5 = NTLMv2 only, refuse LM and NTLMv1 (recommended)

Verify no NTLMv1 traffic after blocking:

# After applying the policy, check for any Event 8003 events with PackageType = 'NTLM V1'
# If they still appear, those machines are not receiving the GPO -- investigate
Get-WinEvent -ComputerName dc01 -FilterHashtable @{
    LogName = 'Security'; Id = 8003
} | Where-Object { $_.Properties[3].Value -like '*V1*' }

Progressive NTLMv2 Restriction for Servers and DCs

After blocking NTLMv1, progressively restrict NTLMv2 based on your audit inventory.

Stage 1: Block NTLM to domain controllers DCs should almost never need NTLM -- all DC authentication should be Kerberos. Computer Configuration > Security Settings > Local Policies > Security Options (Applied to Domain Controllers OU GPO)

  • Network Security: Restrict NTLM: NTLM authentication in this domain: Deny for domain accounts
    • Start with: Deny for domain accounts to domain servers
    • Later: Deny all domain accounts

Stage 2: Block NTLM from specific servers that you have confirmed are clean Network Security: Restrict NTLM: Outgoing NTLM traffic to remote servers

  • Value: Audit all (already done), then: Deny all
  • Apply this to server OUs where you have verified all NTLM sources are remediated

Exception list for applications that cannot be remediated immediately: Network Security: Restrict NTLM: Add server exceptions in this domain

  • Specify the server FQDN of servers that must receive NTLM (buys time for remediation)

Fix NTLM from IP-address connections:

# Find applications connecting by IP (NTLM indicator)
# Update connection strings from IP to hostname to enable Kerberos
# Ensure SPNs are registered for the service:
setspn -A HTTP/serverhostname domain\serviceaccount
setspn -L domain\serviceaccount  # Verify SPN registration

The bottom line

NTLM restriction is a multi-stage project. Immediate actions: enable NTLM audit logging (Event 8003/8004 on DCs), block NTLMv1 via LM compatibility level 5. Month 2-3: analyze audit data, build application inventory, remediate IP-address connections and missing SPNs. Month 4+: block NTLM to DCs, then progressively restrict NTLM for clean server groups. Each restriction stage should be preceded by at least two weeks of NTLM audit logging to confirm no new NTLM sources in scope.

Frequently asked questions

Why does NTLM still work when I thought Kerberos replaced it?

Kerberos is the default authentication protocol for domain-joined machines when they communicate with other domain-joined machines by hostname. NTLM is used as a fallback in specific situations: when the target is accessed by IP address instead of hostname (Kerberos requires a hostname for SPN lookup), when the target machine is not domain-joined, when the SPN for the target service is not registered in Active Directory, when Kerberos tickets cannot be obtained (DC unreachable), or for local account authentication (local accounts cannot use Kerberos). Applications that were written or configured when NTLM was the norm often have hardcoded IP addresses or do not have proper SPN configurations, keeping NTLM usage alive years after Kerberos became the default.

Will restricting NTLM break applications that use Windows Integrated Authentication?

It depends on whether those applications have proper SPN configuration and hostname-based connections. Web applications using Windows Integrated Auth (IIS/NTLM) will fail if: the SPN is not registered for the service account, users connect via IP address or non-FQDN URL, or the app uses loopback (localhost) authentication. Applications connecting to SQL Server via Windows Auth will fail if SPNs are missing for the SQL service. The audit phase (Event 8003/8004) identifies exactly which applications use NTLM -- this is your remediation list before any blocking.

What is the NTLM deprecation timeline from Microsoft?

Microsoft announced in October 2023 that NTLM will be deprecated in future versions of Windows. As of 2026, NTLM is still available and functional but Microsoft's direction is clear. The timeline has not specified a hard removal date -- NTLM will likely remain available as a compatibility option for years. However, Microsoft is actively preventing new NTLM usage in new products (Entra ID does not support NTLM; modern Azure services are Kerberos or OAuth2 only). Organizations should treat NTLM restriction as a proactive security project independent of the deprecation timeline.

Does disabling NTLM affect workstation logins?

Interactive logins (sitting at a workstation console or RDP) to domain-joined machines use Kerberos, not NTLM -- disabling NTLM does not affect these. The affected scenarios are network authentication (connecting to SMB shares, WMI, web services) where the application or protocol falls back to NTLM. Local account logins always use NTLM (local accounts cannot use Kerberos) -- if you have applications using local accounts for network authentication, those will break when NTLM is blocked and require migrating to domain accounts with Kerberos or a service account with proper SPN configuration.

What is NTLM relay and why is it considered a critical AD attack technique?

NTLM relay is an attack where the adversary intercepts an NTLM authentication attempt from one machine (the victim) and relays it to a different server (the target) to authenticate as the victim. Because NTLM does not include the server's identity in the authentication exchange, the victim machine cannot detect that its credentials are being forwarded to a different target. NTLM relay does not require cracking passwords -- the attacker just forwards the hash. From a workstation, an attacker can coerce a server or DC to authenticate to their listener (via file share coercion, PetitPotam, or PrinterBug), relay the authentication to another server, and authenticate as that server's machine account. If the relayed-to server allows machine account authentication, the attacker gains access. SMB signing eliminates this attack by requiring that each message include a signature verifying the server's identity.

How do I audit which applications in my environment are still using NTLM and quantify the scope before disabling it?

Enable NTLM audit logging across all DCs: Computer Configuration > Security Settings > Local Policies > Security Options > Network security: Restrict NTLM > Audit NTLM authentication in this domain: set to 'Enable all'. This generates Event ID 8002 (incoming NTLM authentication to domain account) and Event ID 4776 (NTLM authentication attempt) on DCs. Collect these events in your SIEM and query by account name and source workstation to build a complete list of NTLM-authenticating applications and the accounts they use. The data is very noisy at first -- run collection for 4 weeks to capture applications with monthly or quarterly authentication patterns. From the results, categorize: applications using machine accounts (common, usually benign, fix by ensuring SMB signing), applications using service accounts (needs configuration change to use Kerberos or LDAP simple bind with TLS), and applications using user accounts (requires application reconfiguration or vendor upgrade). The audit phase typically takes 2-3 months before you have enough data to confidently scope NTLM restriction.

Sources & references

  1. Microsoft -- Restrict and audit NTLM
  2. Microsoft -- NTLM Overview

Free resources

25
Free download

Critical CVE Reference Card 2025–2026

25 actively exploited vulnerabilities with CVSS scores, exploit status, and patch availability. Print it, pin it, share it with your SOC team.

No spam. Unsubscribe anytime.

Free download

Ransomware Incident Response Playbook

Step-by-step 24-hour IR checklist covering detection, containment, eradication, and recovery. Built for SOC teams, IR leads, and CISOs.

No spam. Unsubscribe anytime.

Free newsletter

Get threat intel before your inbox does.

50,000+ security professionals read Decryption Digest for early warnings on zero-days, ransomware, and nation-state campaigns. Free, daily, no spam.

Unsubscribe anytime. We never sell your data.

Eric Bang
Author

Founder & Cybersecurity Evangelist, Decryption Digest

Cybersecurity professional with expertise in threat intelligence, vulnerability research, and enterprise security. Covers zero-days, ransomware, and nation-state operations for 50,000+ security professionals every morning.

Black Hat Giveaway

Win a $2,495 Black Hat pass.

Full-access to Black Hat USA 2026 in Las Vegas. Subscribe free to enter.

Joins Decryption Digest daily briefing. Unsubscribe anytime.

Giveaway: Black Hat USA 2026 Full-Access Pass ($2,495 value)

Details →
Daily Briefing

Subscribe to enter the giveaway

Every subscriber is automatically entered. You also get daily threat intel every morning: zero-days, ransomware, and nation-state campaigns. Free. No spam.

Already subscribed? You're already entered.

Giveaway

Win a $2,495 Black Hat USA 2026 pass.