Network security: Restrict NTLM: Audit Incoming NTLM Traffic

Network security: Restrict NTLM: Audit Incoming NTLM Traffic

This policy setting allows you to audit incoming NTLM traffic.

If you select "Disable", or do not configure this policy setting, the server will not log events for incoming NTLM traffic.

If you select "Enable auditing for domain accounts", the server will log events for NTLM pass-through authentication requests that would be blocked when the "Network Security: Restrict NTLM: Incoming NTLM traffic" policy setting is set to the "Deny all domain accounts" option.

If you select "Enable auditing for all accounts", the server will log events for all NTLM authentication requests that would be blocked when the "Network Security: Restrict NTLM: Incoming NTLM traffic" policy setting is set to the "Deny all accounts" option.

This policy is supported on at least Windows 7 or Windows Server 2008 R2.

Note: Audit events are recorded on this computer in the "NTLMBlock" Log located under the Applications and Services Log/Microsoft/Windows/Security-NTLM.

Policy path: 

Computer Configuration\Windows Settings\Local Policies\Security Options

Supported on: 

At least Windows 7, Windows Server 2008 R2

Registry settings: 

MACHINE\System\CurrentControlSet\Control\Lsa\MSV1_0\AuditReceivingNTLMTraffic

Reboot required: 

No