Configuring server exceptions to allow NTLM
Updated: November 21, 2012
Applies To: Windows 7, Windows 8, Windows Server 2008 R2, Windows Server 2012
This topic describes the reasons for and how to configure two security policies introduced in Windows Server 2008 R2 and Windows 7 that permit NTLM authentication on servers that you identify.
You might have instances in your organization where you want to restrict the usage of NTLM to all but a few servers. Two security policy settings are used to list those exceptions where NTLM is allowed: one for client access to remote servers and one policy for access to servers in a domain. Both security policy settings are dependent upon the correct configuration of other settings, as explained below.
Avviso
Setting the policy Network Security: Restrict NTLM: NTLM authentication in this domain or Network Security: Restrict NTLM: Outgoing NTLM traffic to remote servers without performing an impact assessment first might cause service outage for those applications and users still using NTLM authentication. For additional information, see Assessing NTLM usage.
In this topic
Add remote server exceptions for NTLM authentication
Add server exceptions for NTLM authentication in this domain
Additional resources
This policy setting allows you to create an exception list of remote servers to which clients are allowed to use NTLM authentication if the Network Security: Restrict NTLM: Outgoing NTLM traffic to remote servers policy setting is configured.
On the remote server, use the Group Policy Management Console (gpmc.msc) to configure Network Security: Restrict NTLM: Outgoing NTLM traffic to remote servers to Deny all outgoing NTLM traffic to remote servers. If you do not configure this policy setting, no exceptions will be applied.
On the remote server, use the Group Policy Management Console (gpmc.msc) to open the security policy Restrict NTLM: Add remote server exceptions located under the Computer Configuration/Security Settings/Security Options node.
List the server names and click OK.
The naming format for servers on this exception list is the fully qualified domain name (FQDN) or NetBIOS server name used by the calling application listed one per line. A single asterisk (*) can be used at the beginning or end of the string as a wild card character.
Reevaluate NTLM usage by viewing the NTLM authentication events in the NTLM/Operational log by using Event Viewer. Add or remove server names from the exception list to adjust.
This policy setting allows you to create an exception list of servers in this domain to which clients are allowed to use NTLM pass-through authentication if the Network Security: Restrict NTLM: NTLM authentication in this domain policy setting is configured.
On the domain controller, use the Group Policy Management Console (gpmc.msc) to configure Network Security: Restrict NTLM: NTLM authentication in this domain to any option other than Allow domain logon related NTLM traffic and NTLM traffic to servers in this domain. If you do not configure this policy setting, no exceptions will be applied.
On the domain controller, use the Group Policy Management Console (gpmc.msc) to open the security policy Restrict NTLM: Add server exceptions for NTLM authentication in this domain located under the Computer Configuration/Security Settings/Security Options node.
List the server names and click OK.
The naming format for servers on this exception list is the FQDN or NetBIOS server name used by the calling application listed one per line. A single asterisk (*) can be used at the beginning or end of the string as a wild card character.
Reevaluate NTLM usage by viewing the NTLM authentication events in the Analytic log of Event Viewer. To adjust, add or remove server names from the exception list.