How to get rid of NTLM

NT LAN Manager (NTLM) was introduced with Windows NT and is still used in networks that include pre-Windows XP clients or versions prior to Windows 2000 Server. It is also used in workgroup networks when Kerberos authentication can not be negotiated. However, NTLM authentication is not as secure as Kerberos authentication, so if you are configuring a network that requires extreme security, and include domain controllers that are running Windows Server 2008 R2, and clients are running Windows 7, it is You may want to restrict the use of NTLM .

You will need to:
  • A domain controller that runs Windows Server 2008 R2
  • User account that is a member of the Domain Administrators group
Steps to follow:

one

Click on the "Start" button. Choose the "Administrative Tools" item from the menu, and then click on the "Group Policy Management" menu to open the "Group Policy Management Console".

two

Expand the node for "Active Directory", followed by the "domain" of the node, the domain node, and the "domain controllers". Select the option "default domain controllers".

3

Click on "Default domain controllers" and then choose the "Edit" option from the menu.

4

Expand the "Policy" nodes in "Computer Configuration." Expand the "Windows Configuration" node followed by "Security Configuration" and the "Local Policies" node. Select the option "Security options".

5

Scroll through the policy configuration list to find the policy setting "Security Network: Restrict NTLM authentication in this domain." Double-click on it to open its "Security policy settings" dialog box.

6

Check the "Define this configuration of" checkbox.

7

Select "Deny domain accounts to domain servers" from the drop-down list if you want to prevent domain users from authenticating servers in the domain using NTLM. Select "Deny for domain account" from the drop-down list if you want to prevent users from using NTLM authentication. Select "Deny for domain servers", if you want to avoid the use of domain servers for NTLM authentication. Select "Deny" to avoid any NTLM authentication.

8

Click on the "Accept" button to accept the change. You will be warned that the adjustment could affect compatibility with customers, services and applications. Click on the "Yes" button.

9

Click the "Close" button in the title bar of the "Group Policy Editor", and then click the "Close" button in the title bar of the "Group Policy Management Console".

Tips
  • If one or more computers need to authenticate using NTLM, you can enable the policy setting option "Restrict NTLM: Add server exceptions in this domain" and add the computer to the list.
  • To find out if NTLM is used in your network, consider allowing "network security: NTLM authentication audit in this domain" and "Network security: incoming NTLM audit traffic" before the NTLM restriction.
  • You can find detailed information about each policy setting on the "Explain" tab of the "Policy settings" dialog box.
  • Disabling NTLM can have unexpected results. Monitor the network before and after deactivating NTLM to create the necessary exceptions and reduce downtime.