You have new problems when you watch NTLM authentication on your network. Better event data helps you see who uses resources. It also shows where logon failures happen. When you look at Windows Event 8004, sensors now show server names and destination computers for failed tries. These changes help you find strange actions. They also lower false alarms and make your checks more correct. You get more details to study NTLM authentication tampering or lateral movement tries.

Key Takeaways

• Turn on NTLM auditing in Windows Event Logs. This helps you see who uses NTLM and when they use it.

• Use Event IDs 8004 and 4776. These give you more details about NTLM authentication tries and which servers are targeted.

• Collect NTLM logs and put them in one place. Use tools like SIEM or Defender for Identity. This helps you find threats faster.

• Look for strange NTLM activity. This can be lots of failed logons, weird device names, or logons at strange times.

• Check NTLM logs often. Connect your monitoring to your incident response plan. This helps you stop attacks early.

NTLM Authentication Monitoring

Why Monitor NTLM Authentication

You should watch NTLM authentication to keep your network safe. Many companies still use NTLM authentication for old apps and systems. Kerberos is better for new Windows domains, but NTLM is still used for some things. You might see NTLM in workgroups, local logins, or when using an IP address. Some old apps and SQL Server also need NTLM. If Kerberos does not work because of missing Service Principal Names, NTLM will be used instead. Watching NTLM authentication helps you see where these old ways are used.

Tip: Check often to see which devices and users use NTLM. This helps you plan upgrades and keeps important services working.

Here are some times when NTLM authentication is used:

• Old apps that do not work with Kerberos.

• Workgroup computers not in Active Directory.

• Using an IP address to get to resources.

• SQL Server and cluster setups.

• Cross-forest logins.

Security Risks and Benefits

NTLM authentication has some security problems. Attackers can use pass-the-hash attacks to get in without real passwords. Weak hashing like MD4 makes NTLM easy to break with brute-force or dictionary attacks. NTLM does not have multifactor or mutual authentication, so it is less safe. You need to watch NTLM authentication to find unsafe use and stop attacks.

Watching NTLM authentication gives you good information. You can find old systems, spot weak protocol types, and collect logs. These logs help you move away from NTLM safely. In jobs like finance and healthcare, rules say you must use strong authentication and always watch for problems. You need to follow rules like HIPAA, PCI DSS, and GDPR. Watching NTLM authentication helps you follow these rules and stay safe.

Enable Event Logging

Configure Audit Policies

You need to set up audit policies to watch NTLM authentication events on your domain controllers. This helps you know who uses NTLM authentication and when it happens. Here are the steps to turn on NTLM auditing:

1. Log in to a computer with Group Policy Management Console (GPMC) using Domain Admin credentials.

2. Open GPMC. Right-click on Default Domain Controllers Policy. Click Edit.

3. Go to Computer Configuration, then Policies, then Windows Settings, then Security Settings, then Local Policies, then Security Options.

4. Turn on the policy 'Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings'. This makes sure advanced audit policies work.

5. Set 'Network security: Restrict NTLM: Audit Incoming NTLM Traffic' to 'Enable auditing for all accounts'.

6. Set 'Network security: Restrict NTLM: Audit NTLM authentication in this domain' to 'Enable all'.

7. Set 'Network security: Restrict NTLM: Outgoing NTLM traffic to remote servers' to 'Audit all'.

8. Change 'Network Security: LAN Manager Authentication Level' to 'Send NTLMv2 response only, deny LM & NTLM'. This helps block weak NTLMv1.

9. Close the Group Policy editor. Check your settings with the Local Security Policy console (secpol.msc).

10. Watch for event IDs like 4624, 4776, and 8004 to make sure auditing works.

Tip: Use the Default Domain Policy to set these rules for your whole domain. This way, all domain controllers use the same settings.

You can find NTLM audit logs in Event Viewer under Applications and Services Logs, then Microsoft, then Windows, then NTLM. These logs help you see NTLM authentication activity and find systems that still use old protocols.

Event IDs 8004 and 4776

When you turn on NTLM auditing, you will see two important event IDs: 4776 and 8004.

• Event ID 4776 shows NTLM credential checks on the domain controller. It logs both good and failed tries. You will see the source workstation name, the authentication package used, the target user account, and error codes for failures. This event helps you track NTLM authentication tries for domain accounts. But it does not show which server or resource the user tried to reach.

• Event ID 8004 gives you more details. This event shows the server or resource accessed, the source user, the source device, and the destination computer. Azure ATP sensors (from version 2.96) read event 8004 and add this information to your NTLM authentication activity logs. Now you can see not just who tried to log in, but also which server they tried to reach. This helps you spot failed logon tries and find suspicious activity.

Note: Event 8004 is very helpful for finding out which server a user tried to reach. You do not get this information from event 4776.

Azure ATP/Defender for Identity Integration and Log Volume Considerations

When you use Azure ATP or Microsoft Defender for Identity, you get even more help with NTLM authentication monitoring. These tools put sensors on your domain controllers. The sensors check all authentication traffic, including NTLM, in real time. They collect security events from Windows event logs and Active Directory. The sensors also make a real-time map of identity relationships and privilege flows.

With Azure ATP or Defender for Identity, you can:

• Find NTLM relay attacks and brute force tries fast.

• Get alerts for strange NTLM authentication activity.

• See detailed logs with source user, device, and destination server information.

Tip: When you turn on NTLM auditing, you may see a lot of event logs, especially if your network is busy. Plan for more log files and make sure your log storage can handle it. You can use a Security Information and Event Management (SIEM) system to collect and study these logs easily.

You should also check your network for old apps that still use NTLMv1. These old protocols are not as safe and can put you at risk. Audit NTLM use, list all apps that use NTLM, and switch to stronger protocols like Kerberos when you can.

If you follow these steps and use the right tools, you can make your NTLM authentication monitoring better and keep your network safer.

Collect and Centralize Logs

Log Collection Methods

You need to get NTLM authentication logs from all Windows servers. This helps you see what happens on your network. First, turn on the Group Policy setting called 'Network Security: Restrict NTLM: Audit NTLM authentication in this domain' on your domain controllers. This setting makes sure NTLM authentication tries are saved in the event log at Applications and Services Log\Microsoft\Windows\NTLM. You can watch NTLM authentication traffic and learn from it. At first, you do not have to block anything.

To gather logs from many servers, use tools that collect logs in one place. These tools help you search and study logs from different servers. Here are some good choices:

• ELK Stack (Elasticsearch, Logstash, Kibana) or OpenSearch for free and flexible log management.

• Splunk for strong analytics and reporting features.

• Microsoft System Center Operations Manager (SCOM) for enterprise-grade Windows log collection.

• Native Windows Event Forwarding for simple central archiving.

• NXLog for shipping logs to other systems.

• Syslog servers if you already use Linux or Unix infrastructure.

Tip: Centralized logging lets you look at old and new logs. You can sort and filter NTLM authentication events fast. Work with other admins to set up NTLM auditing on every server for the best results.

Using SIEM and Defender for Identity

You can use SIEM platforms like Microsoft Sentinel to make log management easier. SIEM tools work well with lots of data. They connect to many data sources, both on-premises and in the cloud. SIEMs use AI and machine learning to find threats and lower false alarms. You get automatic actions to stop attacks quickly. All your logs are in one place, so you can spot problems fast.

Microsoft Defender for Identity gives you real-time analytics to find identity-based threats. It acts right away if someone’s credentials are stolen. Defender for Identity works with Microsoft Defender XDR to give you better alerts and investigations. It is made to watch Active Directory and find identity attacks.

Note: SIEM platforms and Defender for Identity work best when you plan how long to keep logs and how you will watch them. You may need to connect these tools for full coverage.

Analyze NTLM Authentication Events

Interpreting Event Data

When you start looking at NTLM authentication events, you need to check the details in your Windows event logs. Event ID 8004 gives you more information. It shows which servers users try to reach and where logon failures happen. This helps you notice patterns and learn what is normal for your network.

Here is a simple way to look at NTLM event data:

1. Open Event Viewer. Go to the NTLM Operational log on your domain controller.

2. Find Event ID 8004. This event shows the source user, the device used, and the server they tried to reach.

3. Look for Event ID 4625 to see failed logon attempts. Check fields like LogonType, LogonProcessName, SourceNetworkAddress, and FailureReason.

4. Use LogonType to learn how the logon happened. LogonType 3 means a network logon. LogonType 10 means a remote desktop try.

5. Check LogonProcessName to see if NTLM or Kerberos was used.

6. Look at SourceNetworkAddress to find where the request came from.

7. Study FailureReason and SubStatus codes to know why the logon failed, like a wrong password or a locked account.

8. Compare failed logons (Event ID 4625) with successful ones (Event ID 4624). This helps you see if someone tried many times before getting in.

Tip: Use a SIEM tool to set alerts for failed logons, strange logon types, or access from new devices. This helps you find problems early.

By following these steps, you can use NTLM event data to see which servers are being used and quickly spot failed logon attempts.

Detecting Suspicious Activity

You need to watch for signs of trouble in your NTLM authentication logs. Attackers may try to use stolen credentials or move around your network. Some patterns in your logs can help you find these threats.

Look for these signs of suspicious activity:

• Many NTLM authentication tries in a short time, especially from unknown IP addresses or devices.

• Logons from device names that do not match your company’s naming rules, like "Windows10," "mstsc," or "Rdesktop."

• Event ID 4624 with Logon Type 3 (network logon) coming from strange sources or showing the same user logging in from different computers quickly.

• Event ID 4648, which shows someone using explicit credentials, maybe for lateral movement.

• Logons at odd times, like late at night or on weekends.

• Account lockouts after several failed authentication tries.

• Event ID 8004 showing access to important servers or devices that the user does not usually use.

Note: Always turn on NTLM auditing policies and check Event ID 8004 for details about which devices are targeted.

When you see suspicious NTLM authentication activity, take these steps to check it:

1. Look at PowerShell script logs for strange NTLM negotiation patterns.

2. Check process details, like parent processes and command lines, to see if they are normal.

3. Investigate the source and destination IP addresses for any odd network activity.

4. Check the user account involved for signs of compromise.

5. Compare NTLM authentication events with other security logs to spot lateral movement.

6. Make your NTLM log size bigger and search for Event ID 8004 to find bad attempts.

7. Use the "Secure Channel Name" field in Event ID 8004 to see which device was targeted.

8. Check firewall and network logs for connections to important ports, like RDP (port 3389).

9. If you find a threat, isolate affected systems, reset credentials, block suspicious IPs, and tell your security team.

🛡️ Security Tip: Always keep your NTLM auditing and event log settings up to date. Check your logs often to catch threats before they cause harm.

By using these steps, you can find and respond to suspicious NTLM authentication activity and keep your network safer.

Best Practices

Ongoing Monitoring

You must watch NTLM authentication activity to keep your network safe. First, turn on auditing for NTLM events in Windows Event Logs. Use tools that show you authentication attempts right away. These tools can alert you when something strange happens. Make a plan to check NTLM authentication logs often. Many experts say you should look at these logs every day or all the time. This helps you find threats before attackers can hide or erase evidence.

Tip: Use a SIEM solution to collect and study authentication data from all servers. This helps you see patterns and find suspicious activity more easily.

Here are steps to make your monitoring stronger:

1. Watch all NTLM authentication attempts with real-time tools.

2. Update your systems often to fix security problems.

3. Make endpoints safer by using strong passwords and fewer admin rights.

4. Keep track of changes to user accounts, passwords, and security groups.

5. Look for logon attempts by the same user from different devices.

6. Try to use Kerberos-only authentication and limit NTLM when you can.

Keep your logs for at least 9 months, or longer if your company needs it. Store logs in a safe, central place with encryption. This helps you investigate if something bad happens.

Incident Response Integration

You should connect NTLM authentication monitoring to your incident response plan. This helps you act fast when you see signs of an attack. Old protocols like NTLM are used in password spray and credential stuffing attacks. By logging and watching NTLM activity, you get early warnings about these threats.

Add these steps to your incident response plan:

• Set up alerts for important events, like log clearing or failed logons.

• Use smart tools to find strange NTLM traffic or privilege escalation.

• Check admin actions and group policy changes for misuse.

• Connect monitoring with your security team’s playbooks for quicker action.

Watching all the time and using adaptive authentication helps you respond faster. You can also use solutions that ask for extra checks when risk is found. This makes it easier to stop attacks and keep your network safe.

You can make NTLM authentication monitoring better by turning on detailed event logging. Put all your logs in one place and use smart tools. With more event data, you can see which apps and services use NTLM. Many companies now have better auditing and stronger rules. It is also easier to track NTLM use. If you check your logs often, you can find threats early. First, set up the right settings. Use Azure ATP or Defender for Identity to make your security stronger.

FAQ

How do you enable NTLM auditing on a domain controller?

First, open Group Policy Management Console. Next, edit the Default Domain Controllers Policy. Then, find NTLM audit settings under Security Settings. After that, turn on the right options. Apply the policy to your domain controllers. Finally, check Event Viewer for Event ID 8004.

What does Event ID 8004 show you?

Event ID 8004 tells you who tried to log in. It shows the user, the device, and the server they tried to reach. You can see if someone failed to log in. You also know which resource was targeted. This helps you find strange NTLM activity.

Can you use Defender for Identity with NTLM logs?

Yes, you can use Defender for Identity with NTLM logs. The sensors read NTLM events like 8004. You get more details about authentication. You see alerts for odd NTLM activity. This helps you check threats faster.

What should you do if you see many failed NTLM logons?

First, check which device and user had the failed logons. Look for patterns like many tries or unknown computers. Tell your security team about the problem. You might need to block the device or reset the user’s password.

How long should you keep NTLM authentication logs?

Keep your NTLM logs for at least nine months. Store them in a safe, central place. This helps you look into problems and follow the rules.