Enhancing Windows Security: The Move to Disable NTLM Authentication

In an effort to enhance the security of Windows authentication, Microsoft is making improvements to the Kerberos protocol and phasing out the use of the NTLM (New Technology LAN Manager) protocol. While NTLM has been the default Windows authentication protocol since Windows 2000, it is susceptible to relay attacks and can be easily brute-forced. In contrast, Kerberos, which is based on symmetric-key cryptography, offers better security guarantees.

However, Windows currently uses both NTLM and Kerberos because there are certain scenarios where Kerberos cannot be used, leading to the operating system falling back to NTLM. To address this, Microsoft is working on two new features for Kerberos that will eliminate the need for NTLM and improve the overall security of Windows authentication.

The first feature, known as Initial and Pass Through Authentication Using Kerberos (IAKerb), is a public extension that allows a client without direct access to a Domain Controller to authenticate through a server that does have access. This is particularly useful in firewall segmented environments or remote access scenarios. With IAKerb, Kerberos messages are proxied to the server on behalf of the client, and cryptographic security measures are employed to protect the messages from replay or relay attacks.

The second feature involves the implementation of a local Key Distribution Center (KDC) for Kerberos. By leveraging the local machine’s Security Account Manager, this feature enables remote authentication of local user accounts using Kerberos. It also uses AES encryption by default, further enhancing the security of local authentication. The advantage of this approach is that it avoids the need to add support for additional enterprise services like DNS, Netlogon, or DCLocator, and does not require the opening of new ports on the remote machine.

Furthermore, Microsoft is updating Windows components that currently rely on NTLM to use the Negotiate protocol, which includes Kerberos, IAKerb, and the local KDC. These changes should not require configuration in most cases, and NTLM will still remain as a fallback option. Microsoft also plans to provide administrators with improved management controls to track and block NTLM usage in their environments, as well as auditing capabilities to identify applications and services that rely on NTLM.

Microsoft’s ultimate goal is to reduce and eventually disable the use of NTLM in Windows 11. Although the exact timeline for this disablement has not been specified, Microsoft will monitor the reduction in NTLM usage to determine when it is safe to disable the protocol. In the meantime, Microsoft encourages customers to utilize the new enhanced controls and prepare for the upcoming changes. These controls will also allow customers to reenable NTLM if necessary for compatibility reasons.

In conclusion, Microsoft’s efforts to improve Windows authentication by phasing out NTLM and enhancing Kerberos security are commendable. By eliminating the inherent vulnerabilities of NTLM, Windows users will benefit from stronger authentication methods. However, it is essential for organizations to reassess their authentication mechanisms and ensure a smooth transition to the more secure alternatives offered by Kerberos. Additionally, cataloging NTLM use and auditing code for hardcoded usage will help identify any dependencies on NTLM that may need to be addressed. Overall, these security enhancements are a step in the right direction for Windows authentication and will contribute to a safer computing environment.