Microsoft to Kill NTLM and Expand Kerberos Authentication

Robust security measures are paramount in an ever-changing digital landscape. As Windows adapts to meet the evolving demands of our world, user multi factor authentication, a cornerstone of Windows security, undergoes significant transformation. 

Microsoft is actively working to enhance user authentication by bolstering the reliability and flexibility of Kerberos while reducing its reliance on the older NT LAN Manager (NTLM) authentication protocol.

Kerberos has been the default Windows authentication protocol since the turn of the millennium, but there are still scenarios where it proves inadequate, causing Windows to resort to NTLM. 

To address these situations, Microsoft is introducing new features for Windows 11, such as Initial and Pass Through Authentication Using Kerberos (IAKerb) and a local Key Distribution Center (KDC) for Kerberos. 

These innovations aim to expand Kerberos’ usability and security, ultimately diminishing the need for NTLM.

User authentication in the Windows environment essentially entails verifying one’s identity to a remote system while safeguarding the confidentiality of sensitive password data.

NTLM achieves this by engaging in a challenge and response interaction that verifies the user’s familiarity with a password without revealing it.

The benefits of NTLM, such as not requiring a local network connection to a Domain Controller, being compatible with local accounts, and functioning even when the target server is unknown, have contributed to its historical popularity. 

Certain applications and services have relied on NTLM because of these benefits instead of embracing contemporary authentication protocols like Kerberos, which provide enhanced security and flexibility.

Despite the clear advantages of Kerberos, organizations have been hesitant to disable NTLM due to potential compatibility issues with applications hardcoded for NTLM use. 

Moreover, certain scenarios are incompatible with Kerberos, as it demands access to a Domain Controller and requires specifying the target server. 

The evolution of Windows authentication seeks to address these limitations in Kerberos.

Windows 11 introduces two significant features for Kerberos to decrease its dependence on NTLM.

The initial feature, IAKerb, enables clients to authenticate Kerberos in various network topologies.

IAKerb leverages the cryptographic security guarantees of Kerberos to protect messages in transit, making it valuable in segmented environments and remote access scenarios. 

The second aspect introduces a local Key Distribution Center (KDC) for Kerberos, facilitating Kerberos support for local accounts and enhancing the security of local authentication by implementing AES encryption.

In addition to expanding Kerberos’ use, Microsoft is working to replace hardcoded NTLM instances in existing Windows components with the Negotiate protocol. 

This transition will empower services to adopt Kerberos instead of NTLM and harness IAKerb and LocalKDC for both local and domain accounts.

These adjustments will be activated by default, ensuring a smooth transition, with NTLM still accessible as a backup to preserve compatibility.

Improving NTLM Management

Microsoft also enriches NTLM management tools, granting administrators greater freedom in monitoring and regulating NTLM utilization.

Augmenting existing event viewer logs with service-specific data; these updates will offer transparency regarding applications employing NTLM.

Moreover, administrators will gain the capability to establish precise policies at the service level, enabling them to either restrict or create exemptions for NTLM usage on a service-by-service basis.

The ultimate objective is to substantially decrease NTLM usage to the extent that it can be securely disabled in Windows 11. 

Microsoft is taking a data-driven approach, closely monitoring NTLM utilization, and plans to disable it by default once it’s considered safe. Users will still have the option to re-enable NTLM for compatibility purposes.

To prepare for these impending changes, Microsoft suggests starting a record of NTLM usage, reviewing code for any hardcoded NTLM instances, and staying vigilant for updates that address scenarios where Kerberos remains limited.

Protect yourself from vulnerabilities using Patch Manager Plus to patch over 850 third-party applications quickly. Take advantage of the free trial to ensure 100% security.