Microsoft has announced a three-phase approach to phasing out New Technology LAN Manager (NTLM) as part of its efforts to migrate Windows environments to more powerful Kerberos-based options.
The development comes more than two years after the tech giant revealed plans to retire its legacy technology due to vulnerabilities that could facilitate relay attacks and allow malicious parties to gain unauthorized access to network resources. NTLM will be officially deprecated in June 2024 and will no longer receive updates.
“NTLM consists of security protocols originally designed to provide authentication, integrity, and confidentiality to users,” explains Mariam Gewida, second technical program manager at Microsoft. “However, as security threats have evolved, so have standards to meet modern security expectations. NTLM now uses weak encryption, making it susceptible to a variety of attacks, including replay and man-in-the-middle attacks.”
Microsoft said that despite its deprecated status, the use of NTLM remains prevalent in enterprise environments where modern protocols like Kerberos cannot be implemented due to legacy dependencies, network limitations, or built-in application logic. This exposes organizations to security risks such as replay, relay, and pass-the-hash attacks.
To mitigate this issue in a secure manner, the company has adopted a three-step strategy that paves the way for disabling NTLM by default.
Phase 1: Build visibility and control with enhanced NTLM auditing to better understand where and why NTLM is still being used (available now) Phase 2: Address common roadblocks to NTLM migration through features such as IAKerb and Local Key Distribution Centers (KDCs) (pre-release), as well as update core Windows components to prioritize Kerberos authentication (planned for 2H 2026) Phase 3: Disabling NTLM in the next version Windows Server and associated Windows clients have issues and require explicit re-enablement with new policy controls
Microsoft sees this transition as a major step toward a passwordless, phishing-resistant future. Additionally, organizations that rely on NTLM should conduct audits, map dependencies, migrate to Kerberos, test NTLM-off configurations in non-production environments, and enable Kerberos upgrades.
“Disabling NTLM by default does not yet mean completely removing NTLM from Windows,” Gewida said. “Instead, it means that Windows is delivered secure by default, with network NTLM authentication blocked and automatically disabled.”
“The OS will prioritize modern, more secure Kerberos-based alternatives, while common legacy scenarios will be addressed through new upcoming features such as local KDC and IAKerb (pre-release).”
Source link
