MicrosoftJerryDevore I currently have an ELK stack setup to capture logs from our DCs, so I can capture 4624 events that occur on the DCs but adding our member servers will be more difficult. There are quite a few events against our DCs, the events have a computer name in "Workstation Name" I take it this is where the mis configuration is?
Can also just confirm the authentication in this case is just between this computer and the DC? For example if the client machine contacted another server which supported NTLMv1 the 4624 event would be logged on that destination server and not the DC, and that's why you need to capture the 4624 events on member servers.
Could we investigate and fix all these events on our DCs, then enable "Network security: LAN Manager authentication level" 5, just on the DCs?
Would that then protect the DCs but the member servers could still communicate with each other in NTLMv1 till we investigate and eliminate it on them?
