Microsoft Declares Death to NTLM with Coming Windows 11 Features

NTLM will still be available as a fallback, but Microsoft aims to remove it from Windows 11.

Microsoft this week indicated that it plans to eliminate the need to use the New Technology LAN Manager (NTLM) protocol in Windows 11, with Kerberos taking its place.

NTLM use has long been a recurring security stumbling block. Microsoft's plans to make it unnecessary might seem long overdue, but no timeline for the coming Windows 11 changes was described.

Features To Enable Kerberos
The Kerberos security protocol was actually introduced in Windows 2000 to replace NTLM (see this Redmond article for background on Kerberos). Nonetheless, NTLM got hardcoded into applications and couldn't be wholly replaced. Microsoft, though, now plans to add new Windows 11 features that will permit Kerberos to be used in those cases where NTLM has been needed.

The two coming Windows 11 features effecting this change are called "Initial and Pass Through Authentication Using Kerberos (IAKerb)" and "local Key Distribution Center (KDC) for Kerberos."

Microsoft offered the following "in a nutshell" summation regarding these coming features:

Kerberos has been the default Windows authentication protocol since 2000, but there are still scenarios where it can't be used and where Windows falls back to NTLM. Our team is building new features for Windows 11, Initial and Pass Through Authentication Using Kerberos (IAKerb) and a local Key Distribution Center (KDC) for Kerberos, to address these cases. We are also introducing improved NTLM auditing and management functionality to give your organization more insight into your NTLM usage and better control for removing it.

The details about why Microsoft is at last empowering Kerberos, and killing off NTLM, weren't described too much, but NTLM has been infamous over the years for being leveraged in so-called "NTLM relay attacks" where a remote adversary can spoof being an authenticated user on a network. New NTLM relay attack venues have gotten discovered by researchers over the years, such as the PetitPotam and DFSCoerce Windows Local Security Authority spoofs.

Kerberos has had some limitations, but the coming Windows 11 additions are aiming to obviate them, the announcement explained:

Kerberos must have access to a Domain Controller and requires specifying the target server. These requirements cannot always be met, which will cause authentication problems if NTLM is not available as a fallback. Evolving Windows authentication and reducing the usage of NTLM requires that we remove these limitations in Kerberos.

IAKerb will enable clients to authenticate using "Kerberos in more diverse network topologies." Local KDC for Kerberos will support local accounts with Kerberos.

Organizations likely will get these Windows 11 enhancements without having to do anything, the announcement suggested:

All these changes will be enabled by default and will not require configuration for most scenarios. NTLM will continue to be available as a fallback to maintain existing compatibility.

Death Warrant on NTLM
NTLM, though, will gradually get "disabled in Windows 11," which will happen according to Microsoft's "data-driven" assessments.

Microsoft promised, though, that the coming IT controls will let organizations reenable NTLM, if wanted. In the meantime, Microsoft is advising IT departments to "start cataloging your NTLM use." Developers should look for hardcoded NTLM functions in their applications and replace them with a "negotiate" function.

Microsoft's engineering team plans to talk about these changes in a Webinar, "The Evolution of Windows Authentication,” scheduled for Oct. 24 at 8:00 am Pacific Time, with sign-up here

Microsoft really is "killing NTLM in Windows 11," per David Weston, Microsoft's vice president for OS security and enterprise, in this exTwitter thread.

Also, since Windows 11 shares a codebase with Windows Server, the NTLM displacement will also be in effect for future Windows Server releases, per Steve Syfuhs of Microsoft's Windows and authentication team, as also expressed in that thread.

About the Author

Kurt Mackie is senior news producer for 1105 Media's Converge360 group.


comments powered by Disqus

Subscribe on YouTube