Summary Microsoft plans to kill off NTLM authentication in Windows 11 www.bleepingcomputer.com
1,350 words - html page - View html page
One Line
Microsoft will upgrade the authentication protocol in Windows 11 from NTLM to the more secure Kerberos.
Slides
Slide Presentation (9 slides)
Key Points
- Microsoft plans to kill off NTLM authentication in Windows 11.
- NTLM is a protocol used to authenticate remote users and provide session security.
- Kerberos has superseded NTLM and is now the default authentication protocol for domain-connected devices.
- NTLM has been extensively exploited in NTLM relay attacks, pass-the-hash attacks, and other vulnerabilities.
- Microsoft advises developers to no longer use NTLM in their apps and has provided controls to monitor and restrict NTLM usage.
- Microsoft is working on two new Kerberos features and plans to expand NTLM management controls in Windows 11.
- The reduction of NTLM usage will ultimately lead to its disabling in Windows 11.
Summaries
18 word summary
Microsoft plans to replace the outdated NTLM authentication protocol in Windows 11 with the more secure Kerberos protocol.
64 word summary
Microsoft will remove the outdated NTLM authentication protocol in Windows 11, replacing it with the more secure Kerberos protocol. To support this transition, Microsoft is introducing IAKerb and Local KDC features. Although NTLM will still be available for compatibility, users are encouraged to prepare for its eventual disabling by utilizing enhanced controls. This move aims to improve security and provide better tools for administrators.
198 word summary
Microsoft plans to remove the NTLM authentication protocol in Windows 11. NTLM is outdated and has been superseded by Kerberos, which is now the default authentication protocol for Windows devices. While NTLM is still used as a fallback when Kerberos fails, it has been exploited in various attacks, including NTLM relay attacks and pass-the-hash attacks. Microsoft has been advising against the use of NTLM since 2010 and has recommended disabling or blocking NTLM relay attacks. To promote the use of Kerberos, Microsoft is introducing two new features: IAKerb, which allows clients to authenticate with Kerberos in a wider range of network topologies, and Local KDC, which extends Kerberos support to local accounts. Microsoft also plans to expand NTLM management controls to give administrators more flexibility in monitoring and restricting its usage. Although Microsoft intends to disable NTLM in Windows 11, it will continue to be available as a fallback for compatibility reasons. The company encourages users to prepare for the eventual disabling of NTLM by utilizing the enhanced controls it provides. Microsoft's decision to remove NTLM authentication is driven by the vulnerabilities associated with the protocol and its aim to improve security and provide better tools for administrators.
354 word summary
Microsoft has announced that it plans to remove the NTLM authentication protocol in Windows 11. NTLM, which stands for New Technology LAN Manager, is used to authenticate remote users and provide session security. However, Kerberos has superseded NTLM and is now the default authentication protocol for domain-connected devices on Windows versions above Windows 2000.
NTLM is still used today, especially when Kerberos fails. However, threat actors have exploited NTLM in various attacks, including NTLM relay attacks, where vulnerable network devices are forced to authenticate against servers under the attackers' control. This allows the attackers to gain complete control over the Windows domain. NTLM has also been targeted in pass-the-hash attacks, where cybercriminals acquire NTLM hashes from a system and use them to authenticate as compromised users.
Microsoft has been advising developers not to use NTLM since 2010 and has recommended that Windows admins disable or block NTLM relay attacks using Active Directory Certificate Services. However, Microsoft is now working on two new Kerberos features called IAKerb and Local KDC. These features aim to broaden the use of Kerberos and address challenges that lead to Kerberos fallback to NTLM.
IAKerb allows clients to authenticate with Kerberos across a wider range of network topologies, while the Local KDC extends Kerberos support to local accounts. Microsoft also plans to expand NTLM management controls, giving administrators more flexibility in monitoring and restricting NTLM usage within their environments.
Microsoft intends to disable NTLM in Windows 11 but will take a data-driven approach to determine the right time for this change. In the meantime, NTLM will continue to be available as a fallback for compatibility reasons. The company encourages users to use the enhanced controls it provides to prepare for the eventual disabling of NTLM.
Overall, Microsoft's decision to remove NTLM authentication in Windows 11 is driven by the vulnerabilities and exploits associated with the protocol. The company aims to promote the use of Kerberos as the more secure and modern authentication protocol. By introducing new Kerberos features and expanding NTLM management controls, Microsoft is taking steps to improve security and provide administrators with better tools to protect their environments.