This article describes how to manage the NTLM blocking feature on Windows 7 and Windows Server 2008 R2 to support pass-through authentication.
Windows Server 2008 R2 and Windows 7 restricts NTLM authentication usage out of the box. This feature is known as NTLM blocking. NTLM blocking prevents NTLM from being used for authentication. IT works in both for incoming and outgoing connections, and allows you to create exceptions. NTLM Blocking is implemented using Group Policies that can be accessed under Computer Configuration\Policies\Windows Settings\Security Settings\Local Policies\Security Options.
Using a combination of these policies it is possible to control and audit the flow of NTLM traffic to and from computers running Windows Server 2008 R2/Windows 7 and other computers that may be within or outside the domain.
The following sections explain the policies and how to use them.
Policy Settings to Enable NTLM Pass-Through Authentication
Policies Explained
Network security: Restrict NTLM: Add remote server exceptions for NTLM authentication
This policy setting allows you to create an exception list of remote servers to which clients are allowed to use NTLM authentication if the “Network Security: Restrict NTLM: Outgoing NTLM traffic to remote servers” policy setting is configured.
Network security: Restrict NTLM: Add server exceptions in this domain
This policy setting allows you to create an exception list of servers in this domain to which clients are allowed to use NTLM pass-through authentication if the “Network Security: Restrict NTLM: Deny NTLM authentication in this domain” is set.
Network security: Restrict NTLM: Incoming NTLM traffic
This policy setting allows you to deny or allow incoming NTLM traffic.
Network security: Restrict NTLM: NTLM authentication in this domain
This policy setting allows you to deny or allow NTLM authentication within a domain from this domain controller. This policy does not affect interactive logon to this domain controller.
Network security: Restrict NTLM: Outgoing NTLM traffic to remote servers
This policy setting allows you to deny or audit outgoing NTLM traffic from this Windows 7 or this Windows Server 2008 R2 computer to any Windows remote server.
Network security: Restrict NTLM: Audit Incoming NTLM Traffic
This policy setting allows you to audit incoming NTLM traffic.
Network security: Restrict NTLM: Audit NTLM authentication in this domain
This policy setting allows you to deny or audit outgoing NTLM traffic from this Windows 7 or this Windows Server 2008 R2 computer to any Windows remote server.
Network access: Sharing and security model for local accounts
This security setting determines how network logon that use local accounts are authenticated. this should be set to Classic, not Guest only.
Network security: LAN Manager authentication level
This security setting determines which challenge/response authentication protocol is used for network logons. This should be set to Send LM & NTLM – use NTLMv2 session security if negotiated.
Pass-through Authentication
The NetLogon service is responsible for implementing pass-through authentication. To perform pass-through authentication, the service:
Selecting the domain is straightforward. The domain name is passed to LsaLogonUser. LsaLogonUser supports interactive logons, service logons, and network logons. Since the domain name specified is not trusted by the domain, the authentication request is processed on the computer being connected to as if the domain name specified were that domain name. NetLogon does not differentiate between a nonexistent domain, an untrusted domain, and an incorrectly typed domain name.
Policy Settings to Enable NTLM Pass-through Authentication
If pass-through authentication on a Windows Server 2008 R2 machine fails, then check for the presence of Network Security: Restrict NTLM: policy settings under the aforementioned policy location. To disable restrictions on NTLM authentication
Policy | Purpose | Security Settings |
Network security: Restrict NTLM: Incoming NTLM traffic | This policy setting allows you to deny or allow incoming NTLM traffic. | Allow all |
Network security: Restrict NTLM: Outgoing NTLM traffic to remote servers | This policy setting allows you to deny or audit outgoing NTLM traffic from this Windows 7 or this Windows Server 2008 R2 computer to any Windows remote server. | Allow all |
Network security: Restrict NTLM: Audit NTLM authentication in this domain | This policy setting allows you to audit NTLM authentication in a domain from this domain controller. | Enable all |
Network security: Restrict NTLM: Audit Incoming NTLM Traffic | This policy setting allows you to audit incoming NTLM traffic. | Enable auditing for all accounts |
4. Close the policy window and type, gpupdate /force
5. Close command prompt.
© 2024 Quest Software Inc. ALL RIGHTS RESERVED. Feedback 이용 약관 개인정보 보호정책 Cookie Preference Center