When you think about Windows authentication, chances are you’re familiar with NT LAN Manager (NTLM). For decades, NTLM has been a staple of Windows environments, providing a way for users to authenticate without sending passwords over the network. But here’s the thing: NTLM has outlived its usefulness. It’s an outdated protocol, riddled with vulnerabilities, and as Microsoft has announced, it’s time to say goodbye as Microsoft wants to kill it off in the next few years. Will this be successful as system admins making transition from one release to another? Or will it be as successful as the internet adopting IPv6? Time will tell.
Let’s talk about why NTLM needs to go, how it’s been a weak point in security, and why Kerberos—the protocol that’s been around since 2000—has now become the preferred choice for secure authentication.
NTLM: Still Around, But Seriously Flawed
NTLM was designed in a different era, and it shows. At its core, NTLM works by allowing a user to prove their identity through a challenge-response mechanism without revealing the password. Sounds good, right? The problem is, NTLM has been seriously abused in modern attacks.
One of the most notorious ways attackers exploit NTLM is through Man-in-the-Middle (MITM) attacks. Tools like Responder and ntlmrelayx are specifically designed to intercept NTLM traffic, and they’ve been used to hijack authentication sessions. Once an attacker gets their hands on NTLM hashes, they can use them to perform Pass-the-Hash attacks, or even try to crack the hash. Because NTLM uses weaker encryption compared to modern protocols, those hashes are easier to crack with brute-force or dictionary attacks given the computing power today where a powerful compute instance can be spun up in the cloud.
Beyond that, NTLM’s performance isn’t great. It requires multiple network round trips, which slows things down, and it doesn’t support modern features like Single Sign-On (SSO). Simply put, we need to move on from NTLM, but is Kerberos any better?
Why Kerberos Is the Better Choice
Let’s face it: Kerberos has been the default protocol in Windows since 2000 for a reason. It’s more secure, it’s more efficient, and it’s built to handle modern threats.
One of the biggest advantages Kerberos has over NTLM is that it prevents replay attacks and Man-in-the-Middle (MITM) attacks through mutual authentication and time-sensitive tickets. When a user authenticates via Kerberos, both the client and the server prove they are who they say they are. It’s much harder for an attacker to hijack a Kerberos session or impersonate a user without getting caught (but not impossible).
And let’s talk about cracking Kerberos tickets. While Kerberos does have some vulnerabilities (like key distribution issues), cracking its tickets through brute force or dictionary attacks is a whole different beast compared to NTLM’s relatively weak hashes. Kerberos uses stronger encryption (AES, for example), making it significantly more resistant to offline attacks.
But Kerberos isn’t just more secure—it’s also more efficient. Unlike NTLM, which requires multiple round trips to authenticate a user, Kerberos reduces the overhead, speeding up the authentication process, especially in large environments.
The major advantages: more secure as no passwords are sent or stored locally, improved performance over NTLM authentication, Kerberos support delegation, trust management is simpler, and support multi-factor authentication.
So, Why Is Microsoft Deprecating NTLM Now?
Microsoft isn’t just getting rid of NTLM for the sake of it—they’re actively working to phase it out in favor of Kerberos and other modern authentication mechanisms. The reason is clear: NTLM is a security liability in today’s world, and Kerberos provides a much stronger foundation for secure authentication.
Microsoft knows that changing something as fundamental as authentication can’t happen overnight. The transition away from NTLM will take time, and it won’t be smooth for everyone. Many legacy applications still rely on NTLM, so Microsoft is making it easier for organizations to gradually shift to more secure protocols like Negotiate.
The good news is that Negotiate prioritizes Kerberos, falling back to NTLM only when necessary. This means that most organizations will get the security benefits of Kerberos without completely breaking compatibility with older systems. Over time, though, as NTLM usage decreases, Microsoft plans to disable it entirely.
Key Features to Help Move Past NTLM
To make this transition easier, Microsoft has introduced a few features to support the broader use of Kerberos. For instance:
- IAKerb (Initial and Pass-Through Authentication using Kerberos) allows clients to authenticate using Kerberos even if they don’t have direct access to a Domain Controller. This is a game-changer for remote access or segmented network environments where NTLM was once the fallback.
- Local KDC for Kerberos means local accounts can now authenticate using Kerberos as well. Before, NTLM was the only option for local accounts, but this change improves security by enabling AES-based encryption for local logins.
These changes are already built into Windows 11, and they’re aimed at addressing the most common reasons NTLM is still in use today.
NTLM Not for Long
NTLM will still work in the next versions of Windows Server and Windows 11, but this is the last major update for the protocol. Microsoft is taking a data-driven approach to monitor NTLM usage across organizations. Once they feel confident that NTLM use has been significantly reduced, it will be disabled by default. That said, administrators can still enable NTLM for compatibility reasons during the transition period.
Don’t wait too long to start planning. Microsoft recommends administrators start using their enhanced NTLM auditing tools to track NTLM usage in their environment and identify where NTLM is still being used. This way, there will still be time to make necessary changes to applications or services that still rely on NTLM.
Source: Wallarm
The Security Evolution
Microsoft’s move to deprecate NTLM isn’t just about getting rid of an old protocol; it’s about improving the overall security posture of Windows environments. By reducing the attack surface exposed by NTLM and pushing organizations to adopt stronger, more efficient authentication mechanisms like Kerberos and Negotiate, Microsoft is raising the security bar.
NTLM has been a valuable tool in the past, but it’s no longer suited for today’s threat landscape. Kerberos offers stronger protection against attacks like MITM and Pass-the-Hash, and it’s more efficient. Kerberos offers the upper hand in terms of security and authentication, but it is not the end all be all of authentication security. It has some flaws as well, but Microsoft is addressing the lowest hanging fruit of security vulnerabilities first in NTLM and will strengthen Kerberos over time. While transitioning away from NTLM will take time and planning, the benefits are clear: better security, better performance, and a more scalable solution for the future.
Sources: Microsoft, Bleeping Computer