Sas sent me an email complaining that I am not posting as often as I should- sorry about that. I am working on a different project now but I am still in close touch with the auditing team and I'll try to do better.
Anyway a question that I hear regularly is, "how do I find all the NTLM authentications on my network"?
Other than running a network trace, the best way I have found (ok invented :-) to do this is to look at the logon events in the audit log.
One of the changes we made to the logon events in Windows Vista (and therefore subsequent releases of Windows) was to include the NTLM protocol level in the logon events, if the NTLM auth package was used.
Now, with the new EventLog ecosystem, it's easy to generate some XPath to find just these events.
Here's the query:
and Task = 12544
[@Name='LmPackageName'] != '-'
To use this in Event Viewer:
The event view will now be filtered and you'll only see NTLM logon events. Additionally, each filtered event will contain a "Detailed Authentication Information" section containing the protocol level (e.g. LM, NTLM, NTLM V2) in the "Package Name" field, and the session key length, if one was negotiated.
Detailed Authentication Information: Logon Process: NtLmSsp Authentication Package: NTLM Transited Services: - Package Name (NTLM only): NTLM V2 Key Length: 128