NTLM auditing configured on only one DC

546 views
Skip to first unread message

Kurt Buff

unread,
Sep 11, 2021, 3:11:11 PM9/11/21
to ntsys...@googlegroups.com
All,

We have 3 DCs, all 2012 R2. On one of them (but not the other two), I'm seeing event ID 16869 all over the place, which states:

     Audit only mode is currently enabled for remote calls to the SAM database.
     The following client would have been normally denied access:
     Client SID: S-1-5-21-207515869-1525690680-377547397-13827 from network address: 10.5.20.152.
     For more information please see http://go.microsoft.com/fwlink/?LinkId=787651.

I would think that this would be the result of  turning on in a GPO (or locally with GPEDIT) either

     Network Security: Restrict NTLM: Audit Incoming NTLM Incoming Traffic
or
     Network Security: Restrict NTLM: Audit NTLM authentication in this domain

I've examined both gpedit.msc and output from gpresult on this machine, and neither of them are set - and JFTR, this DC is not a FSMO role holder, those are all held by one of the other DCs. All DCs are GCs.

Could someone have turned this on for this DC only via gpedit, gotten it going, the when GPOs applied it didn't actually turn it off?

I've searched the registry on this machine, and don't see an entry corresponding to either of the presumed settings under HKLM.

I don't mind this behavior - I was just going to set this up vira GPO anyway, but it's awfully strange to see it on only one of the DCs, and before I actually set up the GPO.

Thanks,
Kurt

don.l....@gmail.com

unread,
Sep 12, 2021, 1:10:35 AM9/12/21
to ntsys...@googlegroups.com

Hrmm, the way I read the fwlinked docs, this is not about NTLM but is about SAMdbaccess-audit-only-mode, for which there is no GP template, and is disabled by default?

 

Network access - Restrict clients allowed to make remote calls to SAM - Windows security | Microsoft Docs

 

Registry

Details

Path

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa

Setting

RestrictRemoteSamAuditOnlyMode

Data Type

REG_DWORD

Value

1

Notes

This setting cannot be added or removed by using predefined Group Policy settings.
Administrators may create a custom policy to set the registry value if needed.
SAM responds dynamically to changes in this registry value without a reboot.

 

 

So somebody has set the regkey manually on that server?

Presumably to generate events, for further analysis?

 

DonP

--
You received this message because you are subscribed to the Google Groups "ntsysadmin" group.
To unsubscribe from this group and stop receiving emails from it, send an email to ntsysadmin+...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/ntsysadmin/CADy1Ce4Ln%3D984L_xJ_LHYEJ%3DFAY-4mK_R8ncS9Z%2Bmzt%2Bz-UoJA%40mail.gmail.com.

 

Kurt Buff

unread,
Sep 12, 2021, 12:36:06 PM9/12/21
to ntsys...@googlegroups.com
Excellent find.

I will look at this on Monday, and see if that makes a difference.

Kurt

To view this discussion on the web visit https://groups.google.com/d/msgid/ntsysadmin/9F6244CC-9AB1-4554-9CC6-6C31BF3F6F67%40hxcore.ol.

Charles F Sullivan

unread,
Sep 13, 2021, 11:37:09 AM9/13/21
to ntsys...@googlegroups.com
There actually is a GP setting for this:
Computer Configuration|Windows Settings|Security Settings|Local Policies|Security Options >>  Network access: Restrict clients allowed to make remote calls to SAM
However, I don't see it in the GP editor on Windows 2012 R2. I'll assume that it can be set only from later versions of Windows, but will affect Windows 7 and later with the KB (and later) installed. 

To view this discussion on the web visit https://groups.google.com/d/msgid/ntsysadmin/CADy1Ce7PAZucfE%2Boxoafnj9fwez5biOcT0Zb0c6cBiK2FSBukQ%40mail.gmail.com.


--

Charlie Sullivan

Principal Windows Systems Administrator

Boston College

197 Foster St. Room 367

Brighton, MA 02135

617-552-4318

Kurt Buff

unread,
Sep 13, 2021, 12:19:14 PM9/13/21
to ntsys...@googlegroups.com
Nice - I just checked, and yes, that regentry is present on the affected DC, and not on the other two.

At least it's benign - and I think I will take advantage of the data it provides.

Kurt

On Sat, Sep 11, 2021 at 11:10 PM <don.l....@gmail.com> wrote:
To view this discussion on the web visit https://groups.google.com/d/msgid/ntsysadmin/9F6244CC-9AB1-4554-9CC6-6C31BF3F6F67%40hxcore.ol.

Kurt Buff

unread,
Sep 13, 2021, 12:28:24 PM9/13/21
to ntsys...@googlegroups.com
Confirmed - I don't see it in gpedit.msc on the DC. I've also browsed the GPOs applied to the Domain Controllers OU, and none contain that setting. So, it was done by someone setting the regentry manually.

Thanks,
Kurt

To view this discussion on the web visit https://groups.google.com/d/msgid/ntsysadmin/CAEuHzznoXsH%2BKK1AXfwD1FDfRALMMmFqL42gv0Wby3_cP0cJFA%40mail.gmail.com.
Reply all
Reply to author
Forward
0 new messages