Disabling NTLM

If you want to disable NTLM and move to Kerberos in an active directory environment, you’ll need to follow this process.

  1. Enable auditing (covered in this post)
  2. Reconfigure applications to use Service Principal Name (SPN)
  3. Whitelist allowed NTLM servers
  4. Configure blocking

The first step is to enable auditing on your domain controllers. The easiest way is by creating a GPO and applying it to an OU containing your DC’s. Here’s what mine looks like:

Once defined, use splunk (or other) to capture all logs created here:

Applications and Services Logs -> Microsoft -> Windows -> NTLM -> Operational

My splunk inputs.conf looks like this:

 [WinEventLog://Microsoft-Windows-NTLM/Operational]
disabled = 0
index = msad
Splunk Query:
index=msad sourcetype="WinEventLog:Microsoft-Windows-NTLM/Operational

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

%d bloggers like this: