- Microsoft has decided to kill off NT LAN Manager (NTLM) user authentication support in favor of Kerberos in Windows 11.
- Microsoft is actively working on implementing IAKerb and a local Key Distribution Center (KDC) for Kerberos, both designed to tackle protocol limitations.
- Microsoft is also taking steps to enhance NTLM management controls and modify Windows components to adopt the Negotiate protocol.
Microsoft is getting ready to say goodbye to NT LAN Manager (NTLM), a long-standing authentication support system, in favor of the more robust and secure Kerberos protocol. This transition is also bringing two new fallback mechanisms into play, aimed at addressing existing limitations within the protocol.
NT LAN Manager (NTLM) is a suite of Microsoft security protocols designed to provide authentication, integrity, and confidentiality to end-users. NTLM utilizes a challenge-response mechanism for authentication. The server sends a challenge to the client, encrypted with the user’s password, and the response is then returned to the server.
Essentially, Kerberos is considered a more secure and modern authentication mechanism. However, NTLM remains popular and offers several advantages over Kerberos. For instance, it doesn’t require a local network connection to the Domain Controller (DC) and eliminates the need to know the identity of the target server.
To leverage these benefits, developers hardcode NTLM into their applications and services. That said, there are various vulnerabilities associated with NTLM that could lead to Pass-the-hash or Relay attacks. Microsoft recommends that customers switch to more secure solutions like Kerberos to ensure security. Nevertheless, NTLM is still widely used for legacy support and in certain situations where Kerberos can’t be deployed. It can also serve as a fallback authentication method when Kerberos fails.
Microsoft has decided to introduce two new authentication features to Kerberos to boost security on Windows 11. The first one is Pass Through Authentication Using Kerberos (IAKerb), which allows authentication with a Domain Controller through a server that has line-of-sight access to the infrastructure.
“This works through the Negotiate authentication extension and allows the Windows authentication stack to proxy Kerberos messages through the server on behalf of the client. IAKerb relies on the cryptographic security guarantees of Kerberos to protect the messages in transit through the server to prevent replay or relay attacks. This type of proxy is useful in firewall segmented environments or remote access scenarios,” Microsoft explained.
Additionally, Microsoft is introducing a local Key Distribution Center (KDC) for Kerberos, which adds authentication support for local accounts. The feature leverages IAKerb and the Security Account Manager (SAM) to pass messages between remote local machines without using DCLocator, NetLogon, and DNS.
Microsoft will gradually modify its existing Windows components to replace NTLM with the Negotiate protocol. The company will continue to support NTLM as a fallback mechanism to ensure compatibility with legacy apps and services that haven’t been updated. Microsoft also plans to improve NTLM management controls to help organizations track the usage of the legacy protocol within their environments. This should also make it easier for IT admins to disable NTLM for a specific service.
Ultimately, Microsoft plans to disable NTLM by default on Windows 11 PCs. In the meantime, the company has advised customers to gain more visibility about the usage of NTLM and identify existing hard-coded implementations.