{
	"id": "31d7c1f7-a7ba-4df9-8f95-8191f95138a0",
	"created_at": "2026-04-06T00:21:05.846051Z",
	"updated_at": "2026-04-10T13:11:59.297162Z",
	"deleted_at": null,
	"sha1_hash": "c63573807866d3f86af1ed840ba768e9792cde97",
	"title": "Using security policies to restrict NTLM traffic",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 49802,
	"plain_text": "Using security policies to restrict NTLM traffic\r\nBy Archiveddocs\r\nArchived: 2026-04-05 21:02:55 UTC\r\nUpdated: November 21, 2012\r\nApplies To: Windows 7, Windows 8, Windows Server 2008 R2, Windows Server 2012\r\nThis topic describes the available security policies introduced in Windows Server 2008 R2 and Windows 7 and\r\nhow you can use them to restrict NTLM traffic in your system and domain.\r\nFor every policy to restrict NTLM, there are policies or options to first audit NTLM traffic. This permits you to\r\nlog and analyze authentication activity between clients and member servers, or within a domain before restricting\r\nthe traffic and potentially causing service interruptions. For information how to discover NTLM traffic in your\r\ndomain, see Assessing NTLM usage in this guide.\r\nIn this topic\r\nRestricting NTLM traffic in the domain\r\nRestricting incoming NTLM traffic to a remote server\r\nRestricting outgoing NTLM traffic from a client computer to a remote server\r\nThe following conditions and procedures can help you determine the level of NTLM authentication traffic within\r\na target domain so you can eventually restrict the NTLM traffic and promote Kerberos authentication.\r\nWarning\r\nSetting the policy Restrict NTLM: NTLM authentication in this domain without performing an impact\r\nassessment first might cause service outage for those applications and users still using NTLM authentication. For\r\ninformation about performing an assessment, see Assessing NTLM usage in this guide.\r\nConditions\r\nYou need to meet the following conditions to restrict NTLM traffic in a domain:\r\nAssessment of NTLM usage within the domain.\r\nAbility to configure a security policy on the domain controller.\r\nAccess to the event logs on the member servers and domain controller.\r\nKnowledge that the list of server names on the security policy Network security: Restrict NTLM: Add\r\nserver exceptions in this domain is correct, if configured.\r\nhttps://technet.microsoft.com/library/jj865668.aspx\r\nPage 1 of 5\n\n1. On the domain controller, use the Group Policy Management Console (GPMC) to open the Group Policy\r\nRestrict NTLM: NTLM authentication in this domain located under the Computer\r\nConfiguration/Security Settings/Security Options node.\r\nThis policy setting allows you to deny or allow NTLM authentication within this domain. This policy does\r\nnot affect interactive logon to this domain controller.\r\n2. Select one of the following options that are supported by your assessment:\r\nAllow domain logon-related NTLM and NTLM traffic to servers in this domain\r\nThe domain controller will allow all NTLM pass-through authentication requests within the domain.\r\nThis is the behavior if this policy is not configured.\r\nAllow domain logon-related NTLM traffic or NTLM traffic to servers in this domain\r\nThe domain controller will deny all NTLM authentication logon attempts to all servers in the\r\ndomain that are using domain accounts and display an NTLM blocked error unless the server name\r\nis on the exception list in the Network Security: Restrict NTLM: Add server exceptions for\r\nNTLM authentication in this domain policy setting.\r\nDeny domain logon-related NTLM traffic in this domain\r\nThe domain controller will deny all NTLM authentication logon attempts from domain accounts\r\nand display an NTLM blocked error unless the server name is on the exception list in the Network\r\nSecurity: Restrict NTLM: Add server exceptions for NTLM authentication in this domain\r\npolicy setting.\r\nDeny NTLM traffic to servers in this domain\r\nThe domain controller will deny NTLM authentication requests to all servers in the domain and\r\ndisplay an NTLM blocked error unless the server name is on the exception list in the Network\r\nSecurity: Restrict NTLM: Add server exceptions for NTLM authentication in this domain\r\npolicy setting.\r\nDeny NTLM traffic in this domain\r\nThe domain controller will deny all NTLM pass-through authentication requests from its servers\r\nand for its accounts and display an NTLM blocked error unless the server name is on the exception\r\nlist in the Network Security: Restrict NTLM: Add server exceptions for NTLM authentication\r\nin this domain policy setting.\r\n1. Using Event Viewer on the domain controller, navigate to Applications and Services\r\nLogs/Microsoft/Windows/NTLM and open the Operational log.\r\n2. Investigate NTLM authentiction failed events to determine if NTLM authentication should be allowed or\r\nshould be restricted by using a different option. Note server names.\r\nhttps://technet.microsoft.com/library/jj865668.aspx\r\nPage 2 of 5\n\n3. You can adjust the NTLM authentication usage by resetting this policy to a different option or adding other\r\nservers to the exception list.\r\nThe following conditions and procedures can help you determine the level of incoming NTLM authentication\r\ntraffic from a client computer to a remote server so you can eventually restrict the NTLM traffic and promote\r\nKerberos authentication.\r\nWarning\r\nSetting the policy Network Security: Restrict NTLM: Incoming NTLM traffic without performing an impact\r\nassessment first might cause service outage for those applications and users still using NTLM authentication. For\r\ninformation about performing an assessment, see Assessing NTLM usage in this guide.\r\nConditions\r\nYou need to meet the following conditions to restrict NTLM traffic on a remote server:\r\nAbility to configure a security policy on the remote server.\r\nAccess to the event logs on the remote server and domain controller.\r\nKnowledge that the list of server names on the security policy Network security: Restrict NTLM: Add\r\nserver exceptions for NTLM authentication in this domain is correct, if configured.\r\nEstablished connection to the remote server.\r\n1. On the remote server, use the Group Policy Management Console (gpmc.msc) to open the security policy\r\nRestrict NTLM: Incoming NTLM traffic located under the Computer Configuration/Security\r\nSettings/Security Options node.\r\n2. Select one of the following options that supports your assessment strategy:\r\nAllow all incoming NTLM traffic\r\nThe server will allow all NTLM authentication requests. This is the behavior if this policy is not\r\nconfigured.\r\nDeny all incoming domain logon related NTLM traffic\r\nThe server will deny NTLM authentication requests for domain logon and display an NTLM\r\nblocked error.\r\nDeny all incoming NTLM traffic\r\nThe server will deny NTLM authentication requests from incoming traffic and display an NTLM\r\nblocked error.\r\n1. Using Event Viewer on the domain controller and the remote server, navigate to Applications and Services\r\nLogs/Microsoft/Windows/NTLM and open the Operational log on each.\r\nhttps://technet.microsoft.com/library/jj865668.aspx\r\nPage 3 of 5\n\n2. Investigate NTLM authentication failed events to determine if NTLM authentication should be allowed or\r\nshould be restricted. Note computer names.\r\n3. You can adjust the NTLM authentication usage by resetting this policy to a different option or adding other\r\nservers to the exception list.\r\nThe following conditions and procedures can help you determine the level of outgoing NTLM authentication\r\ntraffic from a client computer to a remote server so you can eventually restrict the NTLM traffic and promote\r\nKerberos authentication.\r\nWarning\r\nSetting the policy Restrict NTLM: Outgoing NTLM traffic to remote servers without performing an impact\r\nassessment first might cause service outage for those applications and users still using NTLM authentication. For\r\ninformation about performing an assessment, see Assessing NTLM usage in this guide.\r\nConditions\r\nYou need to meet the following conditions to restrict NTLM traffic to a remote server:\r\nAssessment of NTLM usage between this server and client computers.\r\nAbility to configure a security policy on the client computer.\r\nAccess to the event logs on the client computer.\r\nKnowledge that the list of server names on the security policy Network security: Restrict NTLM:\r\nRestrict NTLM: Add remote server exceptions for NTLM authentication is correct, if configured.\r\n1. On the client computer, use the Group Policy Management Console (gpmc.msc) to open the network\r\nsecurity policy Restrict NTLM: Outgoing NTLM traffic to remote servers located under the Computer\r\nConfiguration/Security Settings/Security Options node. This policy setting allows you to deny or audit\r\noutgoing NTLM traffic to remote servers.\r\n2. Select one of the following options that supports your assessment strategy:\r\nDeny all outgoing NTLM traffic to remote servers.\r\nThe client computer cannot authenticate identities to a remote server by using NTLM\r\nauthentication. You can use the Network Security: Restrict NTLM: Add remote server\r\nexceptions for NTLM authentication policy setting to define a list of remote servers to which\r\nclients are allowed to use NTLM authentication.\r\nAllow all outgoing NTLM traffic to remote servers.\r\nThe client computer can authenticate identities to a remote server by using NTLM authentication.\r\nThis is the default behavior if this policy is not configured.\r\n1. Open the Group Policy Management Console (gpmc.msc) on the client computer.\r\nhttps://technet.microsoft.com/library/jj865668.aspx\r\nPage 4 of 5\n\n2. Navigate to the Security Options node under Local Computer Policy/Computer Configuration/Windows\r\nSettings/Security Settings/Local Policies.\r\n3. Configure the security policy Network security: Restrict NTLM: Add remote server exceptions for\r\nNTLM authentication by listing the names of the servers that you will allow NTLM authentication. The\r\nnaming format for servers on this exception list is the fully qualified domain name (FQDN) or NetBIOS\r\nserver name used by the calling application listed one per line. A single asterisk (*) can be used at the\r\nbeginning or end of the string as a wild card character.\r\n1. Using Event Viewer on the domain controller, navigate to Applications and Services\r\nLogs/Microsoft/Windows/NTLM and open the Operational log.\r\n2. Investigate NTLM authentication failed events to determine if NTLM authentication should be allowed or\r\nshould be restricted. Note server names.\r\nRestricting NTLM usage\r\nSource: https://technet.microsoft.com/library/jj865668.aspx\r\nhttps://technet.microsoft.com/library/jj865668.aspx\r\nPage 5 of 5",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"MITRE"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://technet.microsoft.com/library/jj865668.aspx"
	],
	"report_names": [
		"jj865668.aspx"
	],
	"threat_actors": [],
	"ts_created_at": 1775434865,
	"ts_updated_at": 1775826719,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/c63573807866d3f86af1ed840ba768e9792cde97.pdf",
		"text": "https://archive.orkl.eu/c63573807866d3f86af1ed840ba768e9792cde97.txt",
		"img": "https://archive.orkl.eu/c63573807866d3f86af1ed840ba768e9792cde97.jpg"
	}
}