Microsoft’s initiative to phase out NTLM
Microsoft’s initiative to phase out NTLM authentication in favor of the more secure Kerberos protocol was originally announced back in October 2023. At that time, the Windows maker declared its intention to deprecate NTLM and encourage organizations to transition to Kerberos for authentication purposes across its ecosystem.
When will NTLM be Retired
Microsoft announced this week that later this year they are expecting to retire NTLM authentication in Windows 11. This comes alongside a wave of new security features designed to fortify the popular operating system.
Microsoft is focused on enhancing the tools available for auditing NTLM authentication. These improvements will enable IT teams to gain deeper insights into NTLM usage within their organizations, identify which applications and clients are utilizing it, and exert greater control over its removal from the network.
In response to current security demands and the need for more robust authentication mechanisms, Microsoft has introduced two new Kerberos features: IAKerb and Local KDC. These additions are expected to be integrated into the upcoming Windows 11 operating system. The primary goal of these features is to further promote the adoption of the Kerberos protocol, which is widely regarded as a more secure alternative to NTLM authentication. By facilitating the transition to Kerberos, Microsoft aims to bolster the security posture of its Windows ecosystem.
Microsoft’s switch from NTLM to Kerberos strengthens security. Kerberos, already the default since Windows 2000, avoids vulnerabilities like NTLM relay attacks, which grant attackers full domain control. While NTLM remains in use on some servers, its known weaknesses create security risks.
Microsoft's team is also asking for input from IT professionals during the process of depreciating NTLM, on how to prioritize what needs fixing first. If you have input you can email them directly at: ntlm@microsoft.com
How to phase out NTLM
Server hardening, the process of configuring servers to reduce their attack surface and enhance security, can play a crucial role in phasing out the use of NTLM (NT LAN Manager) authentication. By implementing secure server configurations that disable or restrict the use of legacy authentication protocols like NTLM, organizations can effectively limit their exposure to potential vulnerabilities associated with these outdated mechanisms.
Server hardening practices, such as disabling NTLM authentication on servers and enforcing the use of more modern and secure protocols like Kerberos, can help organizations transition away from NTLM in a controlled and proactive manner, ultimately strengthening their overall security posture. Do you want to know more?
