Home > Backup and Disaster Recovery Resources from Dell AppAssure > Dell AppAssure: Backup and Recovery Tech Docs > Replay: NTLM and Pass-Through Authentication

Replay: NTLM and Pass-Through Authentication

INTRODUCTION

Windows Server 2008 R2 and Windows 7 restricts NTLM authentication usage out of the box. This feature is known as NTLM blocking. NTLM blocking prevents NTLM from being used for authentication. IT works in both for incoming and outgoing connections, and allows you to create exceptions. NTLM Blocking is implemented using Group Policies that can be accessed under Computer Configuration\Policies\Windows Settings\Security Settings\Local Policies\Security Options. These settings are

Using a combination of these policies it is possible to control and audit the flow of NTLM traffic to and from computers running Windows Server 2008 R2/Windows 7 and other computers that may be within or outside the domain.

THE POLICIES EXPLAINED

POLICY DESCRIPTION
Network security: Restrict NTLM: Add remote server exceptions for NTLM authentication This policy setting allows you to create an exception list of remote servers to which clients are allowed to use NTLM authentication if the “Network Security: Restrict NTLM: Outgoing NTLM traffic to remote servers” policy setting is configured.
Network security: Restrict NTLM: Add server exceptions in this domain This policy setting allows you to create an exception list of servers in this domain to which clients are allowed to use NTLM pass-through authentication if the “Network Security: Restrict NTLM: Deny NTLM authentication in this domain” is set.
Network security: Restrict NTLM: Incoming NTLM traffic This policy setting allows you to deny or allow incoming NTLM traffic.
Network security: Restrict NTLM: NTLM authentication in this domain This policy setting allows you to deny or allow NTLM authentication within a domain from this domain controller. This policy does not affect interactive logon to this domain controller.
Network security: Restrict NTLM: Outgoing NTLM traffic to remote servers This policy setting allows you to deny or audit outgoing NTLM traffic from this Windows 7 or this Windows Server 2008 R2 computer to any Windows remote server.
Network security: Restrict NTLM: Audit Incoming NTLM Traffic This policy setting allows you to audit incoming NTLM traffic.
Network security: Restrict NTLM: Audit NTLM authentication in this domain This policy setting allows you to deny or audit outgoing NTLM traffic from this Windows 7 or this Windows Server 2008 R2 computer to any Windows remote server.

PASS-THROUGH AUTHENTICATION

The NetLogon service is responsible for implementing pass-through authentication. To perform pass-through authentication the service

  • Selects the domain to pass the authentication request to.
  • Selects the server within the domain.
  • Passes the authentication request through to the selected server.

Selecting the domain is straightforward. The domain name is passed to LsaLogonUser. LsaLogonUser supports interactive logons, service logons, and network logons. Since the domain name specified is not trusted by the domain, the authentication request is processed on the computer being connected to as if the domain name specified were that domain name. NetLogon does not differentiate between a nonexistent domain, an untrusted domain, and an incorrectly typed domain name.

POLICY SETTINGS TO ENABLE NTLM PASS-THROUGH AUTHENTICATION

If pass-through authentication on a Windows Server 2008 R2 machine fails, then check for the presence of Network Security: Restrict NTLM: policy settings under the aforementioned policy location. To disable restrictions on NTLM authentication

  1. Run command prompt as administrator.
  2. At the command prompt type gpedit.msc and press enter.
  3. In the local policy window, navigate to Local Computer Policy → Computer Configuration → Windows Settings → Security Settings → Local Policies → Security Options and set the following policies

    4.  

    Policy Purpose Security Settings
    Network security: Restrict NTLM: Incoming NTLM traffic This policy setting allows you to deny or allow incoming NTLM traffic. Allow all
    Network security: Restrict NTLM: Outgoing NTLM traffic to remote servers This policy setting allows you to deny or audit outgoing NTLM traffic from this Windows 7 or this Windows Server 2008 R2 computer to any Windows remote server. Allow all
    Network security: Restrict NTLM: Audit NTLM authentication in this domain This policy setting allows you to audit NTLM authentication in a domain from this domain controller. Enable all
    Network security: Restrict NTLM: Audit Incoming NTLM Traffic This policy setting allows you to audit incoming NTLM traffic. Enable auditing for all accounts

     

  4. Close the policy window and type, gpupdate /force
  5. Close command prompt.
Back To Top

CURRENTLY READING

Replay: NTLM and Pass-Through Authentication

Download PDF

Back to the List of Tech Docs

In This Section

See Also


Installation & Evaluation Guides

Deployment Guides

User Guides

MailRetriever

DocRetriever



Dell AppAssure Software for Exchange continuously protects and monitors the health of your Exchange data stores and allows administrators to quickly search, recover, and analyze mailbox content. With Dell AppAssure Software for Exchange you can backup and restore individual email messages, folders, or mailboxes to a live Exchange server or directly to a PST, thereby solving some of your most costly and time consuming challenges.
Dell AppAssure Software for SQL is an enterprise SQL server backup and disaster recovery software solution developed to assure comprehensive protection - including system and user databases, SQL binaries and the server - making it possible to restore both servers and databases in just minutes.
Dell AppAssure Software for Hyper-V is an enterprise-class backup and disaster recovery software solution designed for Windows Server 2008 Hyper-V environments. Dell AppAssure Software for Hyper-V supports both host and guest level backup methodologies while delivering accelerated backups, fast local recoveries and disaster recovery, all-in-one solution.
Dell AppAssure Software for SharePoint is an enterprise backup and disaster recovery software solution developed to assure comprehensive protection - including front-end servers, SQL servers and the web servers - making it possible to restore both the entire SharePoint environment, individual SharePoint servers and databases and individual SharePoint objects in just minutes.
Dell AppAssure Software for Windows Servers is an application-aware, server-based backup and disaster recovery software solution that delivers fast application backups, fast local recoveries and off-site disaster recovery, all-in-one solution.
Dell Small businesses typically have limited IT resources and smaller staffs than large enterprises, but with Dell AppAssure Software for Windows Small Business Server they have full access to the same powerful server backup and recovery software tools found in larger organizations.
Dell AppAssure Software for VMware is an enterprise-class backup and disaster recovery software solution designed for Windows workloads running VMware virtual environments. With one price for an unlimited number of guests, Dell AppAssure Software delivers accelerated backups, fast local recoveries and disaster recovery, all-in-one solution.
Dell AppAssure Software for Windows Desktops (VDI) simplifies and automates backup and disaster recovery processes, while giving an administrator the ability to remotely monitor and manage large VDI deployments or geographically distributed machines from a single console.
DocRetriever for SharePoint dramatically simplifies the process of restoring individual documents, sites, sub-sites and folders. SharePoint Administrators no longer need to spend countless hours rebuilding your entire production database, or worry about deploying a temporary SharePoint recovery farm, just to recover an individual document or list item.
MailRetriever for Exchange is an affordable and easy-to-use e-mail recovery software package for browsing, recovering, searching, exporting, and analyzing e-mail and mailbox content directly from any unmounted Microsoft Exchange Data Store (EDB). MailRetriever for Exchange can even open and repair corrupted EDB files. With MailRetriever for Exchange, you are never more than just a few clicks away from recovering a message or mailbox. MailRetriever for Exchange eliminates the need for time-consuming full-server and EDB restores for message recovery.
For individual message or mailbox recovery, Dell AppAssure Software and Microsoft Storage Solutions have partnered together to deliver MailRetriever for DPM, enabling Microsoft Exchange administrators around the world to gain efficient and economical access to message-level recovery.
Dell AppAssure´s Backup software for Kaseya lets you recover from any server failure to physical or virtual machines in minutes, backup and recover either locally or offsite, and provide offsite DR to customers with low bandwidth through integrated deduplication and replication.
Dell AppAssure Backup & Disaster Recovery Software is best way to back up and protect your VMware virtual machines. It doesn´t just support your virtual environment - rather; it leverages VMware ESX, ESXi and vSphere to provide a whole new level of protection for all your virtualized applications, services and desktops. Dell AppAssure Software lets you meet your VMware backup RTO and RPO objectives for less.