First published on TechNet on Oct 08, 2009 Ned here again. Windows 7 and Windows Server 2008 R2 introduce a long sought feature known as NTLM blocking. This prevents NTLM from being used for ...
Updated Oct 11, 2023
Version 4.0
Blog Post
10 MIN READ
NTLM Blocking and You: Application Analysis and Auditing Methodologies in Windows 7
I am trying to audit and reduce NTLM events for the client I am supporting. When we did audit and captured the logs what we found was tons of logs are generated from Print server by spoolsv.exe. Doing some more research what I figured out is that when user gives a print from his machine to printer/print server and till the time the job is in queue NTLM traffic keeps on generating. So we blocked the NTLM traffic incoming and outgoing on the Print server. After we are no more able to access print server with IP or SMB share on it or RDP to it.
However now the problem is when a user gives print I see 2 event logs, one event 8002 suggesting the NTLM traffic will be blocked (which we already did through local security policy) and one more event 4003 confirming that the NTLM traffic was blocked. But this has not impacted any operation and everything works fine for now on the print server.