This policy setting allows you to audit incoming NTLM traffic. This policy is supported on at least Windows 7 or Windows Server 2008 R2. Note: Audit events are recorded on this computer in the Operational Log located under the Applications and Services Log/Microsoft/Windows/NTLM. Counter Measure: When you need to audit NTLM use configure Network Security: Restrict NTLM: Audit Incoming NTLM Traffic to Enable auditing for domain accounts or Enable auditing for all accounts as appropriate for your environment. Potential Impact: If you select Disable, or do not configure this policy setting, the server will not log events for incoming NTLM traffic. If you select Enable auditing for domain accounts, the server will log events for NTLM pass-through authentication requests that would be blocked when the Network Security: Restrict NTLM: Incoming NTLM traffic policy setting is set to the Deny all domain accounts option. If you select Enable auditing for all accounts, the server will log events for all NTLM authentication requests that would be blocked when the Network Security: Restrict NTLM: Incoming NTLM traffic policy setting is set to the Deny all accounts option. Fix: (1) GPO: Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options\Network Security: Restrict NTLM: Audit Incoming NTLM Traffic (2) REG: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\MSV1_0!AuditReceivingNTLMTraffic