HOTSPOT
Your network contains an Active Directory domain named contoso.com. The domain contains multiple servers that run multiple applications. Domain user accounts are used to authenticate access requests to the servers.
You plan to prevent NTLM from being used to authenticate to the servers.
You start to audit NTLM authentication events for the domain. You need to view all of the NTLM authentication events and to identify which applications authenticate by using NTLM.
On which computers should you review the event logs and which logs should you review? To answer, select the appropriate options in the answer area.
Hot Area:
– only domain controllers
– Application and services Logs\Microsoft\Windows\NTLM\Operational
to audit all ntlm traffic, audit logs are stored in “windows log\security”:
https://docs.microsoft.com/en-us/troubleshoot/windows-server/windows-security/audit-domain-controller-ntlmv1
policy to log events for NTLM authentication requests that would be allowed or denied:
https://docs.microsoft.com/en-us/windows/security/threat-protection/security-policy-settings/network-security-restrict-ntlm-audit-incoming-ntlm-traffic
The qns wants to see all ntlm events and plans to block it so.
Ans: domain Controller, “windows log\security”.
“…Note: Audit events are recorded on this computer in the “Operational” Log located under the Applications and Services Log/Microsoft/Windows/NTLM….” i think you must view the log only on DC
given answer all are wrong …
Computers on which to review the event logs : Only client computers
Event logs to review : Applications and Services Logs\Microsoft\Windows\NTLM\Operational
The answer would be:
https://docs.microsoft.com/en-us/windows/security/threat-protection/security-policy-settings/network-security-restrict-ntlm-audit-ntlm-authentication-in-this-domain
Only Domain Controllers
Application and services logs\Microsoft\Windows\NTLM\Operational
i think the answe should be client computers and ntlm\operational