This policy setting allows you to audit incoming NTLM traffic. This policy is supported on at least Windows 7 or Windows Server 2008 R2. Note: Audit events are recorded on this computer in the "Operational" Log located under the Applications and Services Log/Microsoft/Windows/NTLM. Countermeasure: When you need to audit NTLM use configure Network Security: Restrict NTLM: Audit Incoming NTLM Traffic to "Enable auditing for domain accounts" or "Enable auditing for all accounts" as appropriate for your environment. Potential Impact: If you select "Disable", or do not configure this policy setting, the server will not log events for incoming NTLM traffic. If you select "Enable auditing for domain accounts", the server will log events for NTLM pass-through authentication requests that would be blocked when the "Network Security: Restrict NTLM: Incoming NTLM traffic" policy setting is set to the "Deny all domain accounts" option. If you select "Enable auditing for all accounts", the server will log events for all NTLM authentication requests that would be blocked when the "Network Security: Restrict NTLM: Incoming NTLM traffic" policy setting is set to the "Deny all accounts" option."

[disable/enable auditing for domain accounts/enable auditing for all accounts]

(1) GPO: Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options\Network Security: Restrict NTLM: Audit Incoming NTLM Traffic (2) REG: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\MSV1_0!AuditReceivingNTLMTraffic