How to Set Up Windows Server 2016 NTLM Authentication

NTLM (NT LAN Manager) is a challenge-response authentication protocol that predates Kerberos in the Windows ecosystem. While Kerberos is the preferred authentication protocol in Windows Server 2016 Active Directory environments, NTLM is still used in several scenarios: when clients connect using IP addresses instead of DNS names, when accessing resources in workgroup environments, when Kerberos fails due to SPN misconfiguration, or when legacy applications do not support Kerberos.

Understanding how to configure, restrict, and monitor NTLM authentication in Windows Server 2016 is important both for maintaining compatibility with legacy systems and for hardening your environment against NTLM-based attacks such as pass-the-hash and NTLM relay attacks.

Step 1: Understand NTLM Authentication Types

NTLM has three versions: LM (LAN Manager), NTLM v1, and NTLM v2. LM and NTLMv1 are considered cryptographically weak and should be disabled. NTLMv2 is the current version and provides significantly stronger security than its predecessors. Windows Server 2016 defaults to requiring NTLMv2, but older clients may still negotiate weaker versions unless explicitly blocked.

Step 2: Configure the LAN Manager Authentication Level

The LAN Manager authentication level policy controls which NTLM version is used. Configure this via Group Policy to enforce NTLMv2 only:

Computer Configuration > Windows Settings > Security Settings > Local Policies > Security Options > Network security: LAN Manager authentication level

Set this to the most restrictive option appropriate for your environment:

Send NTLMv2 response only. Refuse LM & NTLM

To configure this via PowerShell on a domain controller:

Set-ItemProperty -Path "HKLM:SYSTEMCurrentControlSetControlLsa" `
    -Name "LmCompatibilityLevel" -Value 5 -Type DWord

Step 3: Disable LM Hash Storage

LM hashes are extremely weak and should not be stored in the Security Account Manager (SAM) database. Ensure LM hash storage is disabled:

Computer Configuration > Windows Settings > Security Settings > Local Policies > Security Options > Network security: Do not store LAN Manager hash value on next password change

Set this policy to Enabled. Alternatively, configure via registry:

Set-ItemProperty -Path "HKLM:SYSTEMCurrentControlSetControlLsa" `
    -Name "NoLMHash" -Value 1 -Type DWord

Step 4: Configure NTLM Auditing

Before restricting or blocking NTLM, audit its usage to identify which clients and applications still rely on it. Windows Server 2016 provides granular NTLM auditing via Group Policy:

Computer Configuration > Windows Settings > Security Settings > Local Policies > Security Options > Network security: Restrict NTLM: Audit NTLM authentication in this domain

Set this to Enable all. After enabling auditing, NTLM authentication events are logged under event ID 8004 in the Microsoft-Windows-NTLM/Operational log:

Get-WinEvent -LogName "Microsoft-Windows-NTLM/Operational" | 
Where-Object { $_.Id -eq 8004 } |
Select-Object TimeCreated, Message |
Select-Object -First 20

Step 5: Restrict Incoming NTLM Traffic

Once you have audited NTLM usage and remediated applications that can use Kerberos, restrict incoming NTLM authentication on domain controllers. Configure the restriction policy:

Computer Configuration > Windows Settings > Security Settings > Local Policies > Security Options > Network security: Restrict NTLM: NTLM authentication in this domain

Options range from auditing only to full denial. Start with Deny for domain accounts to DCs before moving to more restrictive settings:

Deny for domain accounts to domain controllers

Step 6: Configure NTLM Exceptions (Whitelist)

If certain applications or servers legitimately require NTLM, add them to the NTLM server exception list to allow NTLM while restricting it elsewhere:

Computer Configuration > Windows Settings > Security Settings > Local Policies > Security Options > Network security: Restrict NTLM: Add server exceptions in this domain

Add the server names as a comma-separated list, supporting wildcards:

legacyapp01, legacyapp02, *.legacydomain.com

Step 7: Configure Extended Protection for Authentication

Extended Protection for Authentication (EPA) helps prevent NTLM relay attacks by binding NTLM tokens to specific TLS channels. Enable EPA for IIS services that use NTLM:

Import-Module WebAdministration
Set-WebConfigurationProperty -Filter "system.webServer/security/authentication/windowsAuthentication" `
    -PSPath "IIS:" -Name "extendedProtection.tokenChecking" -Value "Require"

Step 8: Monitor NTLM Authentication Events

Track NTLM events in the Security event log to detect unusual authentication patterns. Key event IDs for NTLM include:

Event ID 4776 - The computer attempted to validate the credentials for an account (NTLM)
Event ID 4625 - An account failed to log on
Event ID 4624 - An account was successfully logged on (check LogonType and AuthenticationPackageName)

To find all NTLM logon events in the Security log:

Get-WinEvent -FilterHashtable @{LogName='Security'; Id=4624} |
Where-Object { $_.Message -match "NTLM" } |
Select-Object TimeCreated, Message | Select-Object -First 20 | Format-List

Managing NTLM authentication in Windows Server 2016 requires a balanced approach: audit first to understand dependencies, then progressively restrict to reduce the attack surface while maintaining the functionality that legitimate applications require.