Microsoft plans to kill off NTLM authentication in Windows 11

Microsoft announced earlier this week that the NTLM authentication protocol will be killed off in Windows 11 in the future.

NTLM (short for New Technology LAN Manager) is a family of protocols used to authenticate remote users and provide session security.

Kerberos, another authentication protocol, has superseded NTLM and is now the current default auth protocol for domain-connected devices on all Windows versions above Windows 2000.

While it was the default protocol used in old Windows versions, NTLM is still used today, and if, for any reason, Kerberos fails, NTLM will be used instead.

Threat actors have extensively exploited NTLM in NTLM relay attacks where they force vulnerable network devices (including domain controllers) to authenticate against servers under the attackers' control, elevating privileges to gain complete control over the Windows domain.

Despite this, NTLM is still used on Windows servers, allowing attackers to exploit vulnerabilities like ShadowCoerce, DFSCoerce, PetitPotam, and RemotePotato0, designed to bypass NTLM relay attack mitigations.

NTLM has also been targeted in pass-the-hash attacks, where cybercriminals exploit system vulnerabilities or deploy malicious software to acquire NTLM hashes, which represent hashed passwords, from a targeted system.

Once in possession of the hash, attackers can utilize it to authenticate as the compromised user, thus gaining access to sensitive data and spread laterally on the network.

Microsoft says that developers should no longer use NTLM in their apps since 2010, and has been advising Windows admins to either disable NTLM or configure their servers to block NTLM relay attacks using Active Directory Certificate Services (AD CS).

However, Microsoft is now working on two new Kerberos features: IAKerb (Initial and Pass Through Authentication Using Kerberos) and Local KDC (Local Key Distribution Center).

"The local KDC for Kerberos is built on top of the local machine's Security Account Manager so remote authentication of local user accounts can be done using Kerberos," Microsoft's Matthew Palko explained.

"This leverages IAKerb to allow Windows to pass Kerberos messages between remote local machines without having to add support for other enterprise services like DNS, netlogon, or DCLocator. IAKerb also does not require us to open new ports on the remote machine to accept Kerberos messages."

Microsoft intends to introduce the two new Kerberos features in Windows 11 to broaden its use and tackle two significant challenges leading to Kerberos fallback to NTLM.

The first feature, IAKerb, enables clients to authenticate with Kerberos across a broader range of network topologies. The second feature involves a local Key Distribution Center (KDC) for Kerberos, which extends Kerberos support to local accounts.

Redmond also plans to expand NTLM management controls, providing administrators with increased flexibility in monitoring and restricting NTLM usage within their environments.

"All these changes will be enabled by default and will not require configuration for most scenarios. NTLM will continue to be available as a fallback to maintain existing compatibility," Palko said.

"Reducing the use of NTLM will ultimately culminate in it being disabled in Windows 11. We are taking a data-driven approach and monitoring reductions in NTLM usage to determine when it will be safe to disable.

"In the meantime, you can use the enhanced controls we are providing to get a head start. Once disabled by default, customers will also be able to use these controls to reenable NTLM for compatibility reasons."