October 14, 2023 at 02:48AM
Microsoft plans to eliminate NT LAN Manager (NTLM) in Windows 11, focusing instead on strengthening the Kerberos authentication protocol. New features in Windows 11 include Initial and Pass Through Authentication Using Kerberos (IAKerb) and a local Key Distribution Center (KDC) for Kerberos. NTLM has vulnerabilities that make it susceptible to relay attacks. Microsoft aims to encourage the use of Kerberos and will make improvements to disable NTLM in Windows 11. NTLM will still be available as a fallback for compatibility.
Key Takeaways from the Meeting Notes:
– Microsoft plans to eliminate NT LAN Manager (NTLM) in Windows 11 in the future and focus on strengthening the Kerberos authentication protocol.
– New features in Windows 11 include Initial and Pass Through Authentication Using Kerberos (IAKerb) and a local Key Distribution Center (KDC) for Kerberos.
– IAKerb allows clients to authenticate with Kerberos across different network topologies, while the local KDC extends Kerberos support to local accounts.
– NTLM, introduced in the 1990s, has been replaced by Kerberos since the release of Windows 2000 but continues to be used as a fallback mechanism.
– NTLM uses a three-way handshake for authentication, while Kerberos uses a two-part process involving a ticket granting service or key distribution center.
– NTLM relies on password hashing, while Kerberos leverages encryption.
– NTLM has inherent security weaknesses and is vulnerable to relay attacks.
– Microsoft is addressing hard-coded NTLM instances and encouraging the use of Kerberos in Windows 11.
– These changes will be enabled by default and will not require configuration in most scenarios.
– NTLM will still be available as a fallback for maintaining existing compatibility.