October 13, 2023 at 12:50PM
Microsoft has announced that the NTLM authentication protocol will be phased out in Windows 11. Kerberos has replaced NTLM as the default authentication protocol since Windows 2000. Despite being used in older versions, NTLM is still vulnerable to attacks such as relay attacks and pass-the-hash attacks. Microsoft is working on new Kerberos features to address these vulnerabilities and plans to expand NTLM management controls. Eventually, NTLM will be disabled in Windows 11.
From the meeting notes, the key takeaways are:
1. Microsoft announced that the NTLM authentication protocol will be phased out in Windows 11 in the future.
2. Kerberos is now the current default authentication protocol for domain-connected devices on Windows versions above Windows 2000.
3. Despite being outdated, NTLM is still used today as a fallback if Kerberos fails.
4. Threat actors have extensively exploited NTLM in NTLM relay attacks, gaining control over Windows domains.
5. NTLM has also been targeted in pass-the-hash attacks, allowing attackers to access sensitive data and move laterally on the network.
6. Microsoft advises developers and Windows admins to no longer use NTLM and provides controls to disable it or mitigate NTLM relay attacks.
7. Microsoft is working on two new Kerberos features, IAKerb and Local KDC, to enhance Kerberos usage and address challenges leading to NTLM fallback.
8. Microsoft plans to expand NTLM management controls for administrators to monitor and restrict its usage.
9. The goal is to ultimately disable NTLM in Windows 11, and Microsoft is monitoring data on NTLM usage to determine when it will be safe to do so.
These takeaways highlight the transition from NTLM to Kerberos as the preferred authentication protocol and the efforts to minimize NTLM usage and mitigate related security risks.