Sunday, July 14, 2024

Microsoft to Kill NTLM and Expand Kerberos Authentication

In an ever-changing digital landscape, robust security measures are paramount. As Windows adapts to meet the evolving demands of our world, user authentication, a cornerstone of Windows security, undergoes significant transformation. 

Microsoft is actively working to enhance user authentication by bolstering the reliability and flexibility of Kerberos while reducing its reliance on the older NT LAN Manager (NTLM) authentication protocol.

Kerberos has been the default Windows authentication protocol since the turn of the millennium, but there are still scenarios where it proves inadequate, causing Windows to resort to NTLM. 

To address these situations, Microsoft is introducing new features for Windows 11, such as Initial and Pass Through Authentication Using Kerberos (IAKerb) and a local Key Distribution Center (KDC) for Kerberos. 

These innovations aim to expand Kerberos’ usability and security, ultimately diminishing the need for NTLM.

User authentication in the Windows environment essentially entails verifying one’s identity to a remote system while safeguarding the confidentiality of sensitive password data.

NTLM achieves this by engaging in a challenge and response interaction that verifies the user’s familiarity with a password without revealing it.

The benefits of NTLM, such as not requiring a local network connection to a Domain Controller, being compatible with local accounts, and functioning even when the target server is unknown, have contributed to its historical popularity. 

Certain applications and services have relied on NTLM because of these benefits instead of embracing contemporary authentication protocols like Kerberos, which provide enhanced security and flexibility.

Despite the clear advantages of Kerberos, organizations have been hesitant to disable NTLM due to potential compatibility issues with applications hardcoded for NTLM use. 

Moreover, certain scenarios are incompatible with Kerberos, as it demands access to a Domain Controller and requires specifying the target server. 

The evolution of Windows authentication seeks to address these limitations in Kerberos.

Windows 11 introduces two significant features for Kerberos to decrease its dependence on NTLM.

The initial feature, IAKerb, enables clients to authenticate Kerberos in various network topologies.

IAKerb leverages the cryptographic security guarantees of Kerberos to protect messages in transit, making it valuable in segmented environments and remote access scenarios. 

The second aspect introduces a local Key Distribution Center (KDC) for Kerberos, facilitating Kerberos support for local accounts and enhancing the security of local authentication by implementing AES encryption.

In addition to expanding Kerberos’ use, Microsoft is working to replace hardcoded NTLM instances in existing Windows components with the Negotiate protocol. 

This transition will empower services to adopt Kerberos instead of NTLM and harness IAKerb and LocalKDC for both local and domain accounts.

These adjustments will be activated by default, ensuring a smooth transition, with NTLM still accessible as a backup to preserve compatibility.

Improving NTLM Management

Microsoft also enriches NTLM management tools, granting administrators greater freedom in monitoring and regulating NTLM utilization.

Augmenting existing event viewer logs with service-specific data; these updates will offer transparency regarding applications employing NTLM.

Moreover, administrators will gain the capability to establish precise policies at the service level, enabling them to either restrict or create exemptions for NTLM usage on a service-by-service basis.

The ultimate objective is to substantially decrease NTLM usage to the extent that it can be securely disabled in Windows 11. 

Microsoft is taking a data-driven approach, closely monitoring NTLM utilization, and plans to disable it by default once it’s considered safe. Users will still have the option to re-enable NTLM for compatibility purposes.

To prepare for these impending changes, Microsoft suggests starting a record of NTLM usage, reviewing code for any hardcoded NTLM instances, and staying vigilant for updates that address scenarios where Kerberos remains limited.

Protect yourself from vulnerabilities using Patch Manager Plus to patch over 850 third-party applications quickly. Take advantage of the free trial to ensure 100% security.


Latest articles

mSpy Data Breach: Millions of Customers’ Data Exposed

mSpy, a widely used phone spyware application, has suffered a significant data breach, exposing...

Advance Auto Parts Cyber Attack: Over 2 Million Users Data Exposed

RALEIGH, NC—Advance Stores Company, Incorporated, a prominent commercial entity in the automotive industry, has...

Hackers Using ClickFix Social Engineering Tactics to Deploy Malware

Cybersecurity researchers at McAfee Labs have uncovered a sophisticated new method of malware delivery,...

Coyote Banking Trojan Attacking Windows Users To Steal Login Details

Hackers use Banking Trojans to steal sensitive financial information. These Trojans can also intercept...

Hackers Created 700+ Fake Domains to Sell Olympic Games Tickets

As the world eagerly anticipates the Olympic Games Paris 2024, a cybersecurity threat has...

Japanese Space Agency Spotted zero-day via Microsoft 365 Services

The Japan Aerospace Exploration Agency (JAXA) has revealed details of a cybersecurity incident that...

Top 10 Active Directory Management Tools – 2024

Active Directory Management Tools are essential for IT administrators to manage and secure Active...
Guru baran
Guru baran
Gurubaran is a co-founder of Cyber Security News and GBHackers On Security. He has 10+ years of experience as a Security Consultant, Editor, and Analyst in cybersecurity, technology, and communications.

Free Webinar

Low Rate DDoS Attack

9 of 10 sites on the AppTrana network have faced a DDoS attack in the last 30 days.
Some DDoS attacks could readily be blocked by rate-limiting, IP reputation checks and other basic mitigation methods.
More than 50% of the DDoS attacks are employing botnets to send slow DDoS attacks where millions of IPs are being employed to send one or two requests per minute..
Key takeaways include:

  • The mechanics of a low-DDoS attack
  • Fundamentals of behavioural AI and rate-limiting
  • Surgical mitigation actions to minimize false positives
  • Role of managed services in DDoS monitoring

Related Articles