Microsoft plans to disable NTLM authentication in Windows 11

Microsoft has made an announcement stating that the NTLM authentication protocol will be disabled in Windows 11. Instead, it will be replaced by Kerberos, which is currently the default authentication protocol in Windows versions above Windows 2000.

NTLM, which stands for New Technology LAN Manager, is a set of protocols utilized for authenticating remote users and providing session security. It has often been exploited by attackers in relay attacks. These attacks involve vulnerable network devices, including domain controllers, authenticating to servers controlled by the attackers. Through these attacks, the attackers can escalate their privileges and gain complete control over a Windows domain. NTLM is still present on Windows servers, and attackers can exploit vulnerabilities like ShadowCoerce, DFSCoerce, PetitPotam, and RemotePotato0, which are designed to bypass protections against relay attacks. Additionally, NTLM allows for hash transmission attacks, enabling attackers to authenticate themselves as a compromised user and access sensitive data.

To mitigate these risks, Microsoft advises Windows administrators to either disable NTLM or configure their servers to block NTLM relay attacks using Active Directory Certificate Services.

Currently, Microsoft is working on two new features related to Kerberos. The first feature, IAKerb (initial and end-to-end authentication using Kerberos), allows Windows to transmit Kerberos messages between remote local computers without the need for additional enterprise services such as DNS, netlogon, or DCLocator. The second feature involves a local Key Distribution Center (KDC) for Kerberos, which expands Kerberos support to local accounts.

Furthermore, Microsoft plans to enhance NTLM controls, granting administrators greater flexibility to monitor and restrict the usage of NTLM in their environments.

All these changes will be enabled by default and won't require configuration for most scenarios, as stated by the company. NTLM will still be available as a fallback option to maintain compatibility with existing systems.

Support us

Winaero greatly relies on your support. You can help the site keep bringing you interesting and useful content and software by using these options: