Microsoft is stripping Windows 11 users of an old protocol that authenticates remote users.
The New Technology LAN Manager (NTLM) was effectively usurped by Kerberos, the MIT-developed cross-platform tool which works as the authentication protocol for any version of Windows since Windows 2000.
In fact, Microsoft even recommended users refrain from using NTLM way back in 2010. However, it has still been kept around as a backup incase Kerberos fails. But now it is finally getting the axe.
NTLM no more
NTLM is considered weak from a security standpoint, as it has been exploited many times by threat actors to authenticate connection between their target’s network and their own malicious servers. From here they can take over their victim’s machines.
Attackers have also been able to steal NTLM hashes of passwords from targets via vulnerabilities in their system, using them to authenticate access to the victim’s system and move throughout their network.
For these reasons, Microsoft has long been recommending that admins disable NTLM or block their servers from NTLM relay attacks by using Active Directory Certificate Services (AD CS).
As a replacement for NTLM, Microsoft is currently developing IAKerb (Initial and Pass Through Authentication Using Kerberos) and the Local KDC (Local Key Distribution Center).
The former is built on the Security Account Manager of the local machine, so remote authentication can be implemented using Kerberos. IAKerb is then used to transmit Kerberos messages between machines, “without having to add support for other enterprise services like DNS, netlogon, or DCLocator,” said Matthew Palko at Microsoft.
“IAKerb also does not require us to open new ports on the remote machine to accept Kerberos messages,” he added.
While Palko also said that “NTLM will continue to be available as a fallback to maintain existing compatibility,” more controls will be available to admins to monitor and restrict NLTM within their network.
Palko concludes, though, that “reducing the use of NTLM will ultimately culminate in it being disabled in Windows 11.”
MORE FROM TECHRADAR PRO
- Here is the best endpoint protection for your organization
- Microsoft releases Windows 11 update to block password-stealing attacks
- Russian hackers have been exploiting unknown flaw in Outlook for nearly a year now
stereoguide-referencehometheater-techradar