Microsoft to Replace NTLM with Kerberos for Enhanced Authentication Security

Microsoft recently announced its intention to phase out the NT LAN Manager (NTLM) authentication protocol within the Windows 11 ecosystem. 

This strategic move aims to enhance security measures and prioritize the robustness of the Kerberos authentication protocol, which has served as the default authentication mechanism since 2000. 

TIL if you want to have a secure Windows Domain, you need to get rid of @paesslerAG PRTG.
Microsoft: "Disable NTLM. Use Kerberos"
Paessler: "We don't support Kerberos Authentication for WMI and we don't plan to"
Only solution: replace PRTG

— boosted Bobby Tables (@KiPos_info) March 22, 2023

In pursuit of this goal, Windows 11 is set to introduce innovative features, namely Initial and Pass Through Authentication Using Kerberos (IAKerb) and a local Key Distribution Center (KDC) tailored for Kerberos.

Let’s Dive in the Details

IAKerb plays a pivotal role by enabling clients to authenticate through Kerberos across various network topologies, thereby promoting flexible and secure authentication processes. 

Complementing this, the local Key Distribution Center (KDC) extends support for Kerberos to local user accounts, broadening the scope of its applicability.

Initially introduced in the 1990s, NTLM has historically offered a suite of security protocols designed to furnish users with authentication, data integrity, and confidentiality.

It operates as a single sign-on (SSO) tool, relying on a challenge-response protocol to verify a user’s knowledge of the associated account password when communicating with a server or domain controller. 

However, despite its historical significance, NTLM’s prominence waned following the release of Windows 2000, as the Kerberos authentication protocol supplanted it.

What’s the difference? 

A fundamental disparity between NTLM and Kerberos lies in their respective authentication management mechanisms. 

NTLM employs a three-way handshake process between the client and server to authenticate a user, while Kerberos follows a two-part process that leverages a ticket-granting service or key distribution center. 

Another notable difference is the use of password hashing in NTLM and encryption in Kerberos.

Aside from NTLM’s inherent security vulnerabilities, it is susceptible to relay attacks, potentially enabling malicious actors to intercept authentication attempts and gain unauthorized access to network resources.

Microsoft – On the Way

Microsoft has also included the task of rectifying hard-coded NTLM instances within its components to pave the way for the eventual phase-out of NTLM in Windows 11.

In this transition, Microsoft is actively enhancing the system to encourage the utilization of Kerberos over NTLM. 

Fun fact; Microsoft couldn't implement Kerberos before Windows 2000 because of export law; 56-bit DES fell under weapons of war. Until Clinton signed Executive order 13026 passing regulation over to the United States Department of Commerce. Then Kerberos could replace NTLM.

— HurpDurp 🟦 (@_HurpDurp) April 21, 2019

Importantly, these changes will be enabled by default, minimizing the need for configuration in most scenarios, while NTLM will persist as a fallback option to ensure continued compatibility.

Microsoft’s strategic decision to retire NTLM in favor of strengthening the Kerberos authentication protocol in Windows 11 reflects a commendable commitment to better security and addressing vulnerabilities in authentication methods. 

Our Analysis of the Development 

Scope of Changes: The announced changes primarily focus on Windows 11. As for Windows 10 and Windows Server, Microsoft has not disclosed any immediate plans to phase out NTLM in those versions. The transition seems centered around Windows 11.

Disaster Recovery Considerations: In scenarios where all domain controllers become unavailable, there are potential challenges for users and administrators. Cached sessions become crucial in such situations. 

People who have recently authenticated to a Windows machine may still be able to log in using cached credentials, ensuring a degree of continuity. 

However, proxying Kerberos messages might not offer a solution in these circumstances, as the absence of functioning domain controllers could limit authentication options.

Microsoft Applications Relying on Hard-Coded NTLM: The issue of Microsoft applications relying on hard-coded NTLM instances is a valid concern. 

Applications like MDT, Config Manager, various administrative tools, and specific Windows Server roles may depend on NTLM, and some may not have been updated for an extended period. 

It is essential for Microsoft to address these dependencies and consider alternative authentication methods or security enhancements to ensure a smooth transition while maintaining compatibility and security.

These questions highlight the complexities and potential challenges of transitioning from NTLM in a diverse and widely used ecosystem like Windows. 

Microsoft should provide detailed guidance and support to navigate these concerns effectively.