NTLMv1 logging enhancements

April 4, 2014

Some minor service changes are planned to the UWWI NETID domain service.

 

What and When:

Today at 11am, we will add three group policy settings to the Default Domain Policy and add one setting to the Default Domain Controllers Policy. These settings are:

 

Default Domain Policy

Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options\Network security: Allow Local System to use computer identity for NTLM = Enabled

Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options\Network security: Restrict NTLM: Outgoing NTLM traffic to remote servers = Audit All

Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options\Network security: Restrict NTLM: Audit Incoming NTLM Traffic = Enable auditing for all accounts

 

Default Domain Controllers Policy

Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options\Network security: Restrict NTLM: Audit NTLM authentication in this domain = Enable all

 

After we’ve turned off NTLMv1 on the domain controllers, we expect to remove the three settings with “Restrict NTLM” in their name.

 

What you need to do:

Nothing. This is a low impact change. All computers in the domain might result in an additional 1MB of log data.

 

Domain admins in domains that trust NETID are strongly encouraged to set these group policy settings in their Windows domain. See the More Info section for why.

 

More info:

First, please note that the three settings with “Restrict NTLM” in their name do not prevent NTLM—they are so named because they are part of a package of settings designed to help organizations eliminate NTLM.

 

http://technet.microsoft.com/en-us/library/jj852275.aspx and http://blogs.technet.com/b/askds/archive/2009/10/08/ntlm-blocking-and-you-application-analysis-and-auditing-methodologies-in-windows-7.aspx describe these settings in more detail.

 

We are setting ‘Network security: Allow Local System to use computer identity for NTLM’ to allow Vista or newer computers to leverage their computer identity (instead of anonymous) when performing so-called “null session” interactions over the network. Besides being a general improvement, this will have a side benefit to our efforts to eliminate NTLMv1 authentications in the NETID domain. It’ll more clearly identify in logs which computers are the source of NTLMv1.

 

We are setting the three settings with “Restrict NTLM” in their name to gain more detailed information about NTLMv1 use. Note that these settings generate additional log entries for NTLM traffic, separate from those already generated in the Windows Security log.

 

We believe all of these changes will allow us to more specifically target responsible individuals whose computers are misconfigured to use NTLMv1. We also believe this extra logging will later aid reactive troubleshooting efforts on the day that we turn NTLMv1 off on the NETID domain controllers. Domains that trust NETID are likely to be put in the position of needing to help identify the specific cause, and the extra information generated by these settings will be valuable for that. So we encourage all domains that trust NETID to also apply these settings.

 

If you have questions about this work, please send email to help@uw.edu with “UWWI NTLMv1 logging work” in the subject line.

 

-B