In the Previous article you have learnt, Join to Domain using PowerShell. which will allow to rename the computer during joining. In the article you will learn, how to check NTLM v1 and disable.
Before you disable NTLM, it is preferred to check if there any source using NTLM authentication which will helps you to find source from where such authentication is happening and work around. The best way to find device are being authenticated via NTLM enable, audit Log in your AD which will keeps logs of the such authentications and its source details. to Enable audit log of the authentication follow the below step.
Create a GPO , go to GPO editor -> Computer Configuration -> Windows Settings -> Security Settings -> Security Options -> right click and open the properties of “Network security: Audit NTLM Traffic“.
Check on “Define this Policy Setting” and set to “Enable auditing for all accounts“
Apply and OK
make sure your policy changed to ” Enable auditing for all accounts” from unconfigured
also you need to enable another option to authenticate using NTLM on this domain. to make that possible
Go To Computer Configuration -> Policies -> Windows Settings -> Security settings -> Local Policies -> Security Options -> right click and open the properties of “Network security: Audit NTLM authentication in this domain“
That’s it, You have successfully configured NTLM v1 audit and allow requests to response. further you need to wait few days and check the logs if any source is being authenticated via NTLM v1.
Further you will understand how to force sources to authenticate in this domain using NTLMv2 only and block v1. you will be able to make that using steps explained below.
Go To Computer Configuration -> Policies -> Windows Settings -> Security Settings -> Local Policies -> Security Options -> right click and go to properties of “Network Security: LAN Manager authentication level” set it to “Send NTLMv2 response only“
After this option, your policy tells all the workstation to response only on NTLM v2 requests. Further, you need to change status to deny from audit option which will do not generates and responses NTLMv1 authentication on the domain basis.
The above picture explains that, you have set Deny any request in this domain level which no longer allows users to authentication via NTLMv1.
Conclusion!!!
In the above article you have learnt, how to allow to authenticate user via NTLM v1 and audit this requests. Further, you have learnt to block NTLM requests those generated from any source. In the next article you will learn, How to Disable Built-in Guest accounts of the computer that are joined to your domain controller.
