Microsoft
MicrosoftThanks Glenn_Jefferson!
Getting your domain controller to level 4 should be very achievable. With that setting the DCs will only offer NTLMv2 when initiating an authentication and will still accept NTLMv1 for inbound authentication and credential validation. It will prevent the use of LAN Man hashes but AD stopped generating LM Hashes a long time ago (by default). You don’t want to step to level 5 until no NTLMv1 with domain credential is happening.
Disabling NTLMv1 will not break anonymous authentications. The link you shared speaks to the fact that anonymous 4624 events show the use of NTLMv1 due to the lack of NTLMv2 key material, but it did not explain that those connections will not be impacted if NTLMv1 was blocked. For most details see Ryan’s comments on this page.
Short of network captures, a 4624 is the only way I know to audit for NTLMv1 use. Given 4624 events are logged on the server hosting the resource it is necessary to collect those events from all member servers to be completely thorough. That does not mean you have to forward the entire security log from the member servers. You could configure a forwarding rule to only forward the 4624 events for NTLMv1 authentications. The native Windows server solution for doing that is to set up a Windows Event Forwarding collector then use the following xpath fiter to only send the desired events. That approach works well if you don’t have a SIEM or your SIEM does not have capacity to spare.
<QueryList>
<Query Id="0" Path="Security">
<Select Path="Security">
*[System[(EventID=4624)]]
[EventData[Data[@Name='AuthenticationPackageName'] and (Data='NTLM V1')]]
[EventData[Data[@Name='TargetUserName'] and (Data!='ANONYMOUS LOGON')]]
</Select>
</Query>
</QueryList>
Your filter logic looks correct. You want to focus on NTLMv1 authentications for any account other than anonymous.