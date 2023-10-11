Key Takeaways Microsoft is phasing out NT LAN Manager (NTLM) user authentication in favor of Kerberos in Windows 11 to improve security.

The company is developing new fallback mechanisms like IAKerb and a local Key Distribution Center (KDC) for Kerberos to address limitations in the protocol.

Microsoft is enhancing NTLM management controls and modifying Windows components to use the Negotiate protocol, with the goal of eventually disabling NTLM by default in Windows 11.

Security is at the forefront for Microsoft when it comes to Windows, which is expected seeing that its operating system is utilized by over a billion users. Over a year ago, the company announced that it is getting rid of Server Message Block version 1 (SMB1) in Windows 11 Home, and today, it has revealed that it is looking to phase out NT LAN Manager (NTLM) user authentication in favor of Kerberos.

In a detailed blog post, Microsoft has explained that Kerberos has been the default authentication protocol on Windows for over 20 years, but it still fails in some scenarios, which then mandates the use of NTLM. In order to tackle these edge cases, the firm is developing new fallback mechanisms in Windows 11 such as Initial and Pass Through Authentication Using Kerberos (IAKerb) and a local Key Distribution Center (KDC) for Kerberos.

NTLM is still popular because it sports multiple advantages such as not requiring a local network connection to a Domain Controller (DC) and not being required to know the identity of the target server. In a bid to leverage benefits like these, developers are opting for convenience and are hard-coding NTLM in applications and services without even considering more secure and extensible protocols like Kerberos. However, since Kerberos has certain limitations to increase security, and it is not accounted for in applications which have NTLM authentication hard-coded, many organizations cannot simply turn off the legacy protocol.

In order to work around the limitations of Kerberos and make it a more enticing option for developers and organizations, Microsoft is building new features in Windows 11 that make the modern protocol a viable option for applications and services.

The first enhancement is IAKerb, which is a public extension that allows authentication with a DC through a server which has line-of-sight access to the aforementioned infrastructure. It leverages the Windows authentication stack to proxy Keberos requests so that the client application does not require visibility to the DC. Messages are cryptographically encrypted and secured even in transit, which makes IAKerb a suitable mechanism in remote authentication environments.

Secondly, we have a local KDC for Kerberos to support local accounts. This takes advantage of both IAKerb and the local machine's Security Account Manager (SAM) to pass messages between remote local machines without having to depend on DNS, netlogon, or DCLocator. In fact, it does not require opening any new port for communication either. It is important to note that traffic is encrypted through the Advanced Encryption Standard (AES) block cipher.

Over the next few phases of this NTLM deprecation, Microsoft will also modify existing Windows components which are hard-coded to use NTLM. Instead, they will leverage the Negotiate protocol so that they can benefit from IAKerb and the local KDC for Kerberos. NTLM will still continue to be supported as a fallback mechanism to maintain existing compatibility. In the meantime, Microsoft is enhancing existing NTLM management controls to give organizations more visibility over where and how NTLM is being used within their infrastructure, also allowing them more granular control over disablement of the protocol for a particular service.

Of course, the end goal is to ultimately disable NTLM by default in Windows 11, as long as the telemetry data supports this opportunity. For now, Microsoft has encouraged organizations to monitor their use of NTLM, audit code that hard-codes the use of this legacy protocol, and keep track of further updates from the Redmond tech firm regarding this topic.