If you recently deployed Microsoft Defender for Identity on your Domain Controllers and haven’t gone through all the prerequisites, you may find that you receive health alerts indicating NTLM Auditing is not enabled. You can also enable NTLM Auditing on your Domain Controllers if you are planning to deploy Microsoft Defender for Identity.
Links to the prerequisites document is provided in the resources section at the end of this blog post.
Health issue alert


Enable NTLM Auditing with Group Policy
NTLM Auditing can easily be enabled on all the Domain Controllers in the domain using Group Policy.
Open the Group Policy Management console and browse to the Domain Controllers container. Here you can either create and edit a new Group Policy or edit an existing Group Policy. I have a separate Group Policy created for security related settings which I will use. I am not making these changes in the Default Doman Controllers Group Policy.

You will find the required NTLM settings in the Security Options settings in the Group Policy. This will be under the Computer Configuration section.

The following 3 policies need to be enabled and configured:
- Network security: Restrict NTLM: Audit Incoming NTLM Traffic
- Network security: Restrict NTLM: Audit NTLM authentication in this domain
- Network security: Restrict NTLM: Outgoing NTLM traffic to remote servers

Network security: Restrict NTLM: Audit Incoming NTLM Traffic should be set to “Enable auditing for all accounts”.

Network security: Restrict NTLM: Audit NTLM authentication in this domain should be set to “Enable all”.

Network security: Restrict NTLM: Outgoing NTLM traffic to remote servers should be set to “Audit all”.

Close the Group Policy editor and Group Policy Management console when complete.
Verify NTLM settings
The policies can be verified after the Group Policy has applied.
Open the Local Security Policy console. This can be easily accessed by running “secpol.msc”. The NTLM settings should now be enabled as per the Group Policy configuration.

The health status for the service should also change to “Healthy” after some time has passed.

Summary
It is important to ensure all prerequisites are met when deploying Microsoft Defender for Identity sensors on your Domain Controllers. The auditing requirements are specifically important for collecting relevant data from Active Directory to enhance some detections.
Resources
Prerequisites – Microsoft Defender for Identity | Microsoft Learn
Configure Windows Event collection – Microsoft Defender for Identity | Microsoft Learn
The following link will take you directory to the NTLM Auditing section in the document
Configure Windows Event collection – Microsoft Defender for Identity | Microsoft Learn
You must log in to post a comment.