October 16, 2023 at 08:24AM
Microsoft is working on new features for Kerberos to improve Windows authentication security and eliminate the use of the NTLM protocol. The features include Initial and Pass Through Authentication Using Kerberos (IAKerb), which allows authentication through a server in firewall segmented environments or remote access scenarios. The second feature is a local Key Distribution Center (KDC) for Kerberos, which enables remote authentication of local user accounts. Microsoft plans to disable NTLM in Windows 11 and is providing management controls to track and block NTLM usage.
Microsoft is working on two new features for Kerberos that aim to improve the security of Windows authentication and eliminate the use of the NTLM protocol. NTLM is prone to relay attacks and brute-force password attacks, making it weak in terms of security. Kerberos, on the other hand, provides better security guarantees but cannot be used in certain scenarios, leading to the fallback to NTLM. The first feature, called Initial and Pass Through Authentication Using Kerberos (IAKerb), allows a client without line-of-sight to a Domain Controller to authenticate through a server that does have line-of-sight. This feature is useful in firewall segmented environments or remote access scenarios. The second feature is a local Key Distribution Center (KDC) for Kerberos that enables remote authentication of local user accounts via Kerberos without the need for other enterprise services like DNS or Netlogon. Microsoft is also updating Windows components with NTLM to use the Negotiate protocol, while providing additional management controls to track and block NTLM usage. The goal is to ultimately disable NTLM in Windows 11, but this will be determined based on data-driven analysis of reductions in NTLM usage. Microsoft encourages customers to use the new enhanced controls for preparing for the disablement of NTLM and suggests cataloging NTLM use and auditing code for hardcoded usage of NTLM.