Windows GPOs for NTLMv2 collection via WUC

Document created by auchentoshan on Apr 7, 2015
Version 1Show Document
  • View in full screen mode

If you have ever wondered how to configure GPOs to work with the WUC in the most secure manner, read on. This is not official but it was carefully tested with WUC v7.x.

 

The following table contains the list of supported and recommended values for Windows GPOs to force event collection using NTLMv2 with extended security. If you have ever experienced issues with event collection from remote domain members (workstations and servers) then check your DC and domain GPOs. Out-of-the-box Windows Server 2008 R2 will prevent event collection from domain members without the recommended setting for Restrict NTLM listed below.

 

If NTLM problems persist, login to a domain controller and navigate in the Event Viewer to the NTLM log located in Event Viewer > Applications and Services Logs > Microsoft > Windows > NTLM > Operational. This log contains information about authentication events that were blocked due to GPOs.

Note: the Audit incoming NTLM traffic GPO setting may need to be set to Enable auditing for all accounts for this log to contain useful data.

 

Group

Location

Parameter

Comment

SMB

HKLM\System\CurrentControlSet\Services\ LanmanServer\Parameters[1]

SMB1 (0=disabled, 1=enabled)

Supported

SMB2 (0=disabled, 1=enabled)

Not supported

SMB3 (0=disabled, 1=enabled)

Not supported

GPO or Local Security Policy[2] – different policies for DCs and domain members (check DC for simplicity)

 

Security Settings > Local Policies > Security Options > Other > Microsoft Network Client

Domain Member: Digitally encrypt sign secure channel data (always)

Supported

Domain Member: Digitally encrypt secure channel data (when possible)

Supported

Domain Member: Digitally sign secure channel data (when possible)

Supported

Microsoft Network: Digitally sign communications (always)

Supported

Microsoft Network: Digitally sign communications (if client and server agree)

Supported

NTLM

GPO or Local Security Policy

 

Security Settings > Local Policies > Security Options > Network Security:  LAN Manager authentication level

Send LM and NTLM responses

Supported

Send LM and NTLM responses – send NTLMv2 session security if negotiated

Supported

Send NTLM response only

Supported

Send NTLM v2 response only

Supported

Send NTLM v2 response only. Refuse LM.

Supported

Send NTLM v2 response only. Refuse LM and NTLM.

Recommended

GPO or Local Security Policy

 

Security Settings > Local Policies > Security Options > Network security: Minimum session security for NTLM SSP based (including secure RPC) servers

Require NTLMv2 session security.

Recommended

Require 128-bit encryption.

Recommended

Other: Network Security > Restrict NTLM

Add remote server exceptions for NTLM authentication

Recommended setting: not defined

Add server exceptions in this domain

Recommended setting: not defined

Audit incoming NTLM traffic

All values and not defined are supported

Audit NTLM authentication in this domain

All values and not defined are supported

Incoming NTLM traffic

Recommended setting: not defined or Allow All

NTLM authentication in this domain

Must be set to disabled. Cannot be not defined. No other setting will work.

Outgoing NTLM traffic to remote servers

Recommended setting: not defined or Allow All or Audit All


 


 

[1] changes to SMB parameters require a reboot to take effect – this setting cannot be implemented via GPO

[2] see <blogs.technet.com/b/josebda/archive/2010/12/01/the-basics-of-smb-signing-covering-both-smb1-and-smb2.aspx> for more information about Microsoft’s recommended settings

Attachments

    Outcomes