Blog Post

Core Infrastructure and Security Blog
9 MIN READ

Active Directory Hardening Series - Part 1 – Disabling NTLMv1

JerryDevore's avatar
JerryDevore
Icon for Microsoft rankMicrosoft
Sep 21, 2023
Active Directory Hardening Series - Part 1 – Disabling NTLMv1   Hello everyone, Jerry Devore back again after to along break from blogging to talk about Active Directory hardening.  In my role at...
JerryDevore_0-1695331302683.png
Updated Jan 15, 2025
Version 18.0
ADHardening
JerryDevore
Foppi84's avatar
Foppi84
Copper Contributor
Oct 23, 2023

Hi JerryDevore 

 

Both client and servers are set to 5 for HKLM\System\CurrentControlSet\Control\Lsa\LmCompatibilityLevel

The connection is coming from the correct user machine (see Workstation Name) however you're right about the anonymous logon is there and tied to my client, on the other hand there is another event record which is correctly showing Kerberos auth as opposed to NTLM.

 

What shall be my interpretation of this anonymous logon event log? Shall I be concerned about it?

 

Anonymous event

Subject:
Security ID: NULL SID
Account Name: -
Account Domain: -
Logon ID: 0x0
 
Logon Information:
Logon Type: 3
Restricted Admin Mode: -
Virtual Account: No
Elevated Token: No
 
Impersonation Level: Impersonation
 
New Logon:
Security ID: ANONYMOUS LOGON
Account Name: ANONYMOUS LOGON
Account Domain: NT AUTHORITY
Logon ID: 0xE225CBC7
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
 
Process Information:
Process ID: 0x0
Process Name: -
 
Network Information:
Workstation Name: ITLT048920
Source Network Address: 10.31.36.39
Source Port: 62021
 
Detailed Authentication Information:
Logon Process: NtLmSsp 
Authentication Package: NTLM
Transited Services: -
Package Name (NTLM only): NTLM V1
 
Kerberos event
An account was successfully logged on.
 
Subject:
Security ID: NULL SID
Account Name: -
Account Domain: -
Logon ID: 0x0
 
Logon Information:
Logon Type: 3
Restricted Admin Mode: -
Virtual Account: No
Elevated Token: No
 
Impersonation Level: Impersonation
 
New Logon:
Security ID: domain\firstname.lastname
Account Name: firstname.lastname
Account Domain: domain.local
Logon ID: 0xE225C702
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {4e2b3653-1422-6e72-2da9-ff69098ef0c7}
 
Process Information:
Process ID: 0x0
Process Name: -
 
Network Information:
Workstation Name: -
Source Network Address: 10.31.36.39
Source Port: 62021
 
Detailed Authentication Information:
Logon Process: Kerberos
Authentication Package: Kerberos
Transited Services: -
Package Name (NTLM only): -
Key Length: 0