Security Monitoring: Using SCOM to detect NTLMv1 and LanManager Authentication Types

Disclaimer: Due to changes in the MSFT corporate blogging policy, I’m moving all of my content to the following location. Please reference all future content from that location. Thanks.

One of the big changes in the next release of the Security Monitoring management pack will be reports designed to let administrators if they are using older protocols in their environments. It goes without saying that many older protocols are often full of vulnerabilities. As well, they tend to be on by default due to concerns about what might break should they be shut off.

Recently, a colleague of mine wrote a nice article in regards to these protocols. This post will concentrate a bit more on the auditing aspect of the article. What we have done in the security monitoring MP is to create two collection rules targeting authentication on domain controllers. These will look for the following conditions:

NTLMv1

  • Event ID = 4625
  • Parameter 11 (Authentication Package) = NTLM
  • Parameter 15 = NTLMv1 (note that the friendly view name differs from the name in the event description. The friendly view name is LMPackageName.)

LanMan

  • Event ID = 4625
  • Parameter 11 (Authentication Package) = NTLM
  • Parameter 15 = LM (note that the friendly view name differs from the name in the event description. The friendly view name is LMPackageName.)

The reports will tell us where this access is taking place along with which accounts are using it. This should give administrators a better picture to the types of activities going on in their environments.

Feel free to add comments or reach out to me on LinkedIn.