Disabling NTLM

NTLM auditing in an active directory domain with splunk.

If you want to disable NTLM and move to Kerberos in an active directory environment, you’ll need to follow this process.

  1. Enable auditing (covered in this post)
  2. Reconfigure applications to use Service Principal Name (SPN)
  3. Whitelist allowed NTLM servers
  4. Configure blocking

The first step is to enable auditing on your domain controllers. The easiest way is by creating a GPO and applying it to an OU containing your DC’s. Here’s what mine looks like:

Once defined, use splunk (or other) to capture all logs created here:

Applications and Services Logs -> Microsoft -> Windows -> NTLM -> Operational

My splunk inputs.conf looks like this:

 [WinEventLog://Microsoft-Windows-NTLM/Operational]
disabled = 0
index = msad
Splunk Query:
index=msad sourcetype="WinEventLog:Microsoft-Windows-NTLM/Operational