Microsoft is planning to eliminate the use of NTLM authentication in Windows 11, a legacy protocol that has been around since the 1980s and has been exploited by hackers for decades.
NTLM stands for New Technology LAN Manager, and it was originally developed for OS/2, a joint operating system project between Microsoft and IBM. NTLM is a challenge-response authentication protocol that verifies the identity of a user by proving the knowledge of a password without revealing it.
NTLM has some advantages that made it popular in the past, such as:
- It does not require a local network connection to a Domain Controller.
- It is the only protocol supported when using local accounts.
- It works when the target server is not known.
However, NTLM also has many drawbacks that make it insecure and outdated, such as:
- It does not support multifactor or adaptive authentication.
- It uses weak encryption and hashing algorithms that can be easily cracked.
- It is vulnerable to various attacks, such as relay, pass-the-hash, and brute force.
Microsoft has been trying to replace NTLM with Kerberos, a more modern and secure authentication protocol, since Windows 2000. Kerberos provides better security guarantees and is more extensible than NTLM. Kerberos relies on a trusted third party, called the Key Distribution Center (KDC), to issue tickets that authenticate users and services.
However, there are still some scenarios where Kerberos cannot be used and where Windows falls back to NTLM, such as:
- When there is no network access to a Domain Controller or a KDC.
- When using local accounts or non-domain joined devices.
- When the target server is not specified or registered in the domain.
To address these scenarios and reduce the dependency on NTLM, Microsoft is introducing two new features in Windows 11:
- Initial and Pass Through Authentication Using Kerberos (IAKerb): This feature allows clients to authenticate with Kerberos in more diverse network topologies, such as VPNs, firewalls, proxies, and cloud environments. IAKerb uses an initial ticket that can be obtained offline or from a local KDC, and then uses it to request service tickets from remote KDCs.
- A local KDC for Kerberos: This feature adds Kerberos support to local accounts by creating a local KDC on each device. The local KDC can issue tickets for local accounts and services, as well as for domain accounts when offline. The local KDC can also synchronize with the domain KDC when online.
These features will enable Kerberos to be used in more situations and will reduce the need for NTLM fallback. Microsoft is also improving the auditing and management of NTLM usage, to help organizations identify and eliminate NTLM dependencies.
Microsoft’s goal is to eventually phase out NTLM completely and improve the security of authentication for all Windows users. However, this will take time and will require cooperation from application developers and administrators who still rely on NTLM.
A brief history of NTLM attacks
NTLM has been a target for hackers since its inception, as it has several design flaws that make it easy to compromise. Here are some of the most common types of attacks against NTLM:
- Relay attack: This attack involves intercepting an NTLM authentication request from a client and forwarding it to another server, impersonating the client. The attacker can then access the resources on the target server as the client. This attack can be performed by exploiting various protocols that use NTLM, such as SMB, HTTP, LDAP, or RPC.
- Pass-the-hash attack: This attack involves stealing the hashed password of a user or a service account from a compromised device and using it to authenticate with other devices or services that use NTLM. The attacker does not need to know or crack the plaintext password, as NTLM only verifies the hash value.
- Brute force attack: This attack involves trying different combinations of passwords until finding the one that matches the hash value of a user or a service account. This attack can be performed offline by capturing an NTLM authentication request or online by sending multiple requests to a server. The success of this attack depends on the complexity and length of the password.
These attacks can be prevented or mitigated by using various security measures, such as:
- Enabling SMB signing and encryption to protect against relay attacks.
- Enabling Credential Guard to protect against pass-the-hash attacks.
- Enforcing strong password policies and using multifactor authentication to protect against brute force attacks.
However, these measures are not enough to ensure the security of NTLM authentication, as there may be other vulnerabilities or exploits that can bypass them. Therefore, the best way to protect against NTLM attacks is to stop using NTLM altogether and switch to Kerberos or other more secure authentication protocols.