Microsoft
MicrosoftHi swhitestrath - Yes - Most likely the computers in the "Workstation Name" have a registry value less than 3 for HKLM\System\CurrentControlSet\Control\Lsa\LmCompatibilityLevel
If capacity to collect the security logs from your member server is an issue. You shoud be able to scope down forwarding to just the 4624 events with Package Name = NTLMv1.
You are correct about the 4624 events on the DC representing direct authentications between client and the DC. When a member server passes an authentication the DC for validation, the DC will log a 4776 and the 4624 will be logged on the member server.
Disabling the use of NTLMv1 with doman credentials is enforced by configuring the DCs to level 5. Any NTLMv1 authentication using domain accounts will be treated as a failed attempt once the DC is at level 5. That is true if the client was authenticating directly to the DC or to a member server. As a result you want to identitfy all NTLMv1 authentications in the domain prior to to configuring the DCs to level 5.
Thanks for all this information its much appreciated. Coming back to this again as it was put on the back burner.
To begin with we would set clients to level 3 but what about servers would we also set them to 3? In your example would the IIS server be considered a "recipient of the request" so we would set that at level 4 or 5?
MicrosoftI would set all devices to a minmum of level 3. At the level 3 only NTLMv2 will be negoitated for outbound connections but NTLMv1 will still be allowed for inbound connections. IIS would be a recipient of the request. If you set an IIS server to level 4 it would not longer accept LM (not used any more anyway) but would accepted NTLMv1 and v2. Once you bump it up to level 5 NTLMv1 will be rejected leaving only v2. Based on that you could techincally go straight to level 4 on them.
