Microsoft to Improve Windows Authentication by Enhancing Kerberos and Phasing Out NTLM

 

 

Microsoft is taking steps to strengthen Windows user authentication by adding features to Kerberos and eventually eliminating NTLM (New Technology LAN Manager). While Kerberos has been the default Windows authentication for more than two decades, there are instances where it still cannot be used. Microsoft plans to introduce new features to Kerberos to eliminate the need to fall back to NTLM.

Removing NTLM will be a significant security improvement. We keep having vulnerabilities in various software (most recently WordPad) that trick clients into establishing SMB connections, potentially transmitting NTLM password hashes.

The fall-back NTLM use cases: Only supported protocol with local accounts, works when there is no connection to a DC, or when you don't know who the target server is. The changes include IAKerb, for relay communication to a system with "line of sight" access to the DC; having a local KDC (LocalKDC) for local accounts and fixing windows components hard-coded to use NTLM to use the Negotiate protocol, which can leverage IAKerb and LocalKDC. While the date is not set to phase out NTLM, it's time to start gathering your use cases, so you can test the replacement options prior to the forced retirement of NTLM.

Dave Mayer at Neuvik, where I worked, looked at some articles because the curiosity about dropping NTLM is essential. How do you drop NTLM and use two workstations? Who is the KDC? We got the answer: the KDC will be set up on a non-domain computer on each machine. They will act as the KDC for the transaction. Does this mean there is a krbtgt account on your Windows 11 Workstation? What will this look like? But just like vbScript, there is no stopping this, so Farewell NTLM. You were such a good friend for the Redteam.

It took something like 15 years for the US to make the shift away from leaded gasoline – removing dangerous stuff from a large installed base is not easy, but in the modern software world “legacy software backwards compatibility” needs to be measured in single digit years not decades.

Could this finally be the end of NTLM? NTLM has had a checkered security history, being susceptible to replay attacks among other security vulnerabilities (i.e, pass-the-hash). By making these changes to Kerberos part of the default configuration in Windows 11, Microsoft is easing adoption.