Restricting NTLM completely might prevent users from accessing a computer
NT
LAN Manager (NTLM) authentication was introduced with Windows NT and is
still used on networks that include pre-Windows XP clients or
pre-Windows 2000 Server servers. It is also used when authenticating
users in a workgroup environment and in a domain when Kerberos
authentication cannot be negotiated. However, NTLM authentication is not
as secure as Kerberos authentication, so if you are configuring a
network that requires strong security and includes domain controllers
running Windows Server 2008 R2 and clients running Windows 7, you might
want to restrict the use of NTLM.
A domain controller running Windows Server 2008 R2
User account that is a member of the Domain Admins group
Instructions
1
Click the "Start" button. Point to the "Administrative
Tools" menu item, and then click the "Group Policy Management" menu item
to open the "Group Policy Management Console."
2
Expand the node for your "Active Directory" forest, followed
by the "Domains" node, the node for your domain and the "Domain
Controllers" node. Select the "Default Domain Controllers" policy.
3
Right-click the "Default Domain Controllers" policy, and then choose the "Edit" menu item.
4
Expand the "Policies" node under "Computer Configuration."
Expand the "Windows Settings" node followed by the "Security Settings"
node and the "Local Policies" node. Select the "Security Options" node.
5
Scroll down the list of policy settings to locate the
"Network Security: Restrict NTLM authentication in this domain" policy
setting. Double-click it to open its "Security Policy Settings" dialog.
6
Check the "Define this policy setting" checkbox.
7
Select "Deny for domain accounts to domain servers" from the
drop-down list if you want to prevent domain users from authenticating
to servers in the domain using NTLM. Select "Deny for domain account"
from the drop-down list if you want to prevent domain users from logging
on using NTLM authentication. Select "Deny for domain servers" if you
want to prevent domain servers from using NTLM for authentication.
Select "Deny all" to prevent any NTLM authentication.
8
Click the "OK" button to accept the change. You will be
prompted with a warning that the setting might affect compatibility with
clients, services and applications. Click the "Yes" button.
9
Click the "Close" button in the title bar of the "Group
Policy Management Editor," and then click the "Close" button in the
title bar of the "Group Policy Management Console."
Tips & Warnings
If one or more
computers needs to authenticate using NTLM, you can enable the "Restrict
NTLM: Add server exceptions in this domain" policy setting and add the
computer to the list.
To find out
whether NTLM is being used on your network, consider enabling the
"Network security: Audit NTLM authentication in this domain" and
"Network security: Audit incoming NTLM traffic" prior to restricting
NTLM.
You can find detailed information about each policy setting on the "Explain" tab of the "Policy Setting" dialog.
Disabling
NTLM might have unexpected results. Monitor your network before and
after disabling NTLM to create any necessary exceptions and reduce
downtime.
