Microsoft is planning to eliminate the use of NTLM authentication in Windows 11, a legacy protocol that has been around since the 1980s and has been exploited by hackers for decades.

NTLM stands for New Technology LAN Manager, and it was originally developed for OS/2, a joint operating system project between Microsoft and IBM. NTLM is a challenge-response authentication protocol that verifies the identity of a user by proving the knowledge of a password without revealing it.

NTLM has some advantages that made it popular in the past, such as:

However, NTLM also has many drawbacks that make it insecure and outdated, such as:

Microsoft has been trying to replace NTLM with Kerberos, a more modern and secure authentication protocol, since Windows 2000. Kerberos provides better security guarantees and is more extensible than NTLM. Kerberos relies on a trusted third party, called the Key Distribution Center (KDC), to issue tickets that authenticate users and services.

However, there are still some scenarios where Kerberos cannot be used and where Windows falls back to NTLM, such as:

To address these scenarios and reduce the dependency on NTLM, Microsoft is introducing two new features in Windows 11:

These features will enable Kerberos to be used in more situations and will reduce the need for NTLM fallback. Microsoft is also improving the auditing and management of NTLM usage, to help organizations identify and eliminate NTLM dependencies.

Microsoft’s goal is to eventually phase out NTLM completely and improve the security of authentication for all Windows users. However, this will take time and will require cooperation from application developers and administrators who still rely on NTLM.

A brief history of NTLM attacks

NTLM has been a target for hackers since its inception, as it has several design flaws that make it easy to compromise. Here are some of the most common types of attacks against NTLM:

These attacks can be prevented or mitigated by using various security measures, such as:

However, these measures are not enough to ensure the security of NTLM authentication, as there may be other vulnerabilities or exploits that can bypass them. Therefore, the best way to protect against NTLM attacks is to stop using NTLM altogether and switch to Kerberos or other more secure authentication protocols.