Microsoft Plans to Eliminate NT LAN Manager in Windows 11 to Enhance Authentication and Security
Oct 14, 2023
Newsroom
Authentication / Endpoint Security
Microsoft has recently announced its plans to phase out NT LAN Manager (NTLM) in Windows 11 as part of its efforts to strengthen authentication methods and improve security.
The technology giant stated, “The focus is on strengthening the Kerberos authentication protocol, which has been the default since 2000, and reducing reliance on NT LAN Manager (NTLM). New features for Windows 11 include Initial and Pass Through Authentication Using Kerberos (IAKerb) and a local Key Distribution Center (KDC) for Kerberos.”
IAKerb enables clients to achieve authentication using Kerberos across various network topologies. The local Key Distribution Center (KDC) for Kerberos is a second feature that extends Kerberos support to local accounts.
Originating in the 1990s, NTLM is a suite of security protocols designed to deliver authentication, integrity, and confidentiality to users. It functions as a single sign-on (SSO) tool that uses a challenge-response protocol to verify a user’s knowledge of the password associated with an account to a server or domain controller.
However, since the release of Windows 2000, NTLM has been replaced by Kerberos as the preferred authentication protocol. NTLM now serves as a fallback mechanism.
CrowdStrike, a cybersecurity firm, explains the main difference between NTLM and Kerberos lies in their authentication management processes. NTLM relies on a three-way handshake between the client and server, whereas Kerberos employs a two-part process that utilizes a ticket granting service or key distribution center.
Moreover, a crucial distinction between the two protocols is that NTLM utilizes password hashing, while Kerberos utilizes encryption.
In addition to its inherent security weaknesses, NTLM is susceptible to relay attacks, which could allow malicious actors to intercept authentication attempts and gain unauthorized access to network resources.
Microsoft has also revealed its ongoing efforts to address hard-coded NTLM instances in its components as it prepares to disable NTLM in Windows 11. The company aims to encourage the use of Kerberos instead of NTLM by implementing improvements.
Matthew Palko, Microsoft’s senior product management lead in Enterprise and Security, stated, “All these changes will be enabled by default and will not require configuration for most scenarios. NTLM will continue to be available as a fallback to maintain existing compatibility.”
This development highlights Microsoft’s commitment to enhancing authentication security and ensuring the utmost protection for Windows 11 users.
If you found this article interesting, follow us on Twitter and LinkedIn for more exclusive content.
Sources:
– The Hacker’s News. (2023, Oct 14). Microsoft Is Getting Rid of NT LAN Manager (NTLM) in Windows 11. https://thehackernews.com/2023/10/microsoft-is-getting-rid-of-nt-lan.html