Tuesday, November 12, 2024
HomeCyber Security NewsMicrosoft to Kill NTLM and Expand Kerberos Authentication

Microsoft to Kill NTLM and Expand Kerberos Authentication

Published on

Malware protection

Robust security measures are paramount in an ever-changing digital landscape. As Windows adapts to meet the evolving demands of our world, user multi factor authentication, a cornerstone of Windows security, undergoes significant transformation. 

Microsoft is actively working to enhance user authentication by bolstering the reliability and flexibility of Kerberos while reducing its reliance on the older NT LAN Manager (NTLM) authentication protocol.

Kerberos has been the default Windows authentication protocol since the turn of the millennium, but there are still scenarios where it proves inadequate, causing Windows to resort to NTLM. 

- Advertisement - SIEM as a Service

To address these situations, Microsoft is introducing new features for Windows 11, such as Initial and Pass Through Authentication Using Kerberos (IAKerb) and a local Key Distribution Center (KDC) for Kerberos. 

These innovations aim to expand Kerberos’ usability and security, ultimately diminishing the need for NTLM.

User authentication in the Windows environment essentially entails verifying one’s identity to a remote system while safeguarding the confidentiality of sensitive password data.

NTLM achieves this by engaging in a challenge and response interaction that verifies the user’s familiarity with a password without revealing it.

The benefits of NTLM, such as not requiring a local network connection to a Domain Controller, being compatible with local accounts, and functioning even when the target server is unknown, have contributed to its historical popularity. 

Certain applications and services have relied on NTLM because of these benefits instead of embracing contemporary authentication protocols like Kerberos, which provide enhanced security and flexibility.

Despite the clear advantages of Kerberos, organizations have been hesitant to disable NTLM due to potential compatibility issues with applications hardcoded for NTLM use. 

Moreover, certain scenarios are incompatible with Kerberos, as it demands access to a Domain Controller and requires specifying the target server. 

The evolution of Windows authentication seeks to address these limitations in Kerberos.

Windows 11 introduces two significant features for Kerberos to decrease its dependence on NTLM.

The initial feature, IAKerb, enables clients to authenticate Kerberos in various network topologies.

IAKerb leverages the cryptographic security guarantees of Kerberos to protect messages in transit, making it valuable in segmented environments and remote access scenarios. 

The second aspect introduces a local Key Distribution Center (KDC) for Kerberos, facilitating Kerberos support for local accounts and enhancing the security of local authentication by implementing AES encryption.

In addition to expanding Kerberos’ use, Microsoft is working to replace hardcoded NTLM instances in existing Windows components with the Negotiate protocol. 

This transition will empower services to adopt Kerberos instead of NTLM and harness IAKerb and LocalKDC for both local and domain accounts.

These adjustments will be activated by default, ensuring a smooth transition, with NTLM still accessible as a backup to preserve compatibility.

Improving NTLM Management

Microsoft also enriches NTLM management tools, granting administrators greater freedom in monitoring and regulating NTLM utilization.

Augmenting existing event viewer logs with service-specific data; these updates will offer transparency regarding applications employing NTLM.

Moreover, administrators will gain the capability to establish precise policies at the service level, enabling them to either restrict or create exemptions for NTLM usage on a service-by-service basis.

The ultimate objective is to substantially decrease NTLM usage to the extent that it can be securely disabled in Windows 11. 

Microsoft is taking a data-driven approach, closely monitoring NTLM utilization, and plans to disable it by default once it’s considered safe. Users will still have the option to re-enable NTLM for compatibility purposes.

To prepare for these impending changes, Microsoft suggests starting a record of NTLM usage, reviewing code for any hardcoded NTLM instances, and staying vigilant for updates that address scenarios where Kerberos remains limited.

Protect yourself from vulnerabilities using Patch Manager Plus to patch over 850 third-party applications quickly. Take advantage of the free trial to ensure 100% security.

Gurubaran
Gurubaran
Gurubaran is a co-founder of Cyber Security News and GBHackers On Security. He has 10+ years of experience as a Security Consultant, Editor, and Analyst in cybersecurity, technology, and communications.

Latest articles

10 Best DNS Management Tools – 2025

Best DNS Management Tools play a crucial role in efficiently managing domain names and...

Sweet Security Announces Availability of its Cloud Native Detection & Response Platform on the AWS Marketplace

Customers can now easily integrate Sweet’s runtime detection and response platform into their AWS...

Researchers Detailed Credential Abuse Cycle

Cybercriminals exploit leaked credentials, obtained through various means, to compromise systems and data, enabling...

New Android Malware SpyAgent Taking Screenshots Of User’s Devices

SpyAgent, a newly discovered Android malware, leverages OCR technology to extract cryptocurrency recovery phrases...

Free Webinar

Protect Websites & APIs from Malware Attack

Malware targeting customer-facing websites and API applications poses significant risks, including compliance violations, defacements, and even blacklisting.

Join us for an insightful webinar featuring Vivek Gopalan, VP of Products at Indusface, as he shares effective strategies for safeguarding websites and APIs against malware.

Discussion points

Scan DOM, internal links, and JavaScript libraries for hidden malware.
Detect website defacements in real time.
Protect your brand by monitoring for potential blacklisting.
Prevent malware from infiltrating your server and cloud infrastructure.

More like this

Researchers Detailed Credential Abuse Cycle

Cybercriminals exploit leaked credentials, obtained through various means, to compromise systems and data, enabling...

New Android Malware SpyAgent Taking Screenshots Of User’s Devices

SpyAgent, a newly discovered Android malware, leverages OCR technology to extract cryptocurrency recovery phrases...

Tor Network Suffers IP Spoofing Attack Via Non-Exit Relays

In late October 2024, a coordinated IP spoofing attack targeted the Tor network, prompting...