Microsoft to Deprecate NT LAN Manager in Windows 11

Microsoft to Deprecate NT LAN Manager in Windows 11
Microsoft will phase out NTLM authentication in Windows 11, shifting to the more secure Kerberos protocol to enhance security and protect against cyber threats.

Microsoft has announced its plans to phase out the NT LAN Manager (NTLM) authentication protocol in Windows 11, marking a significant shift towards enhanced security. The company aims to replace NTLM with the more secure Kerberos authentication protocol, citing vulnerabilities and the need for a modernized security approach.

Understanding NTLM and Kerberos

NTLM, or New Technology LAN Manager, is a challenge-response authentication protocol that has been part of the Windows operating system since the early days. Despite its long history, NTLM is considered outdated and vulnerable to various attacks, such as pass-the-hash and relay attacks, which can compromise user credentials and system security​.

Kerberos, on the other hand, is a robust and secure authentication protocol that uses a ticketing system to authenticate users to network resources. It supports advanced encryption standards, providing better security and performance compared to NTLM. Kerberos has been the default authentication protocol for domain-connected devices on Windows versions since Windows 2000​.

Reasons for Deprecating NTLM

Microsoft’s decision to deprecate NTLM stems from its inherent security weaknesses. NTLM does not support modern encryption algorithms like AES or SHA-256, making it susceptible to sophisticated attacks. Additionally, NTLM’s reliance on a three-way handshake for authentication is less secure compared to Kerberos’ ticket-based system​​.

Despite its vulnerabilities, NTLM has persisted due to its simplicity and ease of use in certain scenarios, especially for local accounts and environments without a direct connection to a Domain Controller (DC). However, the need to transition to a more secure authentication method has become paramount as cyber threats evolve​​.

Transition to Kerberos

To facilitate the transition from NTLM to Kerberos, Microsoft is introducing two new features in Windows 11:

  1. Initial and Pass Through Authentication Using Kerberos (IAKerb): This extension allows clients to authenticate with a DC through a server that has line-of-sight access, even if the client itself does not. This feature ensures secure authentication across segmented networks and remote access scenarios, protecting against replay and relay attacks.
  2. Local Key Distribution Center (KDC): This feature extends Kerberos support to local accounts by using the Security Account Manager (SAM) to pass messages between remote local machines. The local KDC leverages IAKerb for secure authentication without requiring additional enterprise services​​.

Implications for Organizations

The deprecation of NTLM means organizations will need to audit their applications and services to identify where NTLM is still in use and transition to Kerberos. Microsoft recommends using existing policies and logs to track NTLM usage and implement controls to disable it where possible. Enhanced NTLM management controls will aid in this transition, allowing administrators to monitor and restrict NTLM usage within their environments​.

While NTLM will continue to be available as a fallback mechanism to ensure compatibility with legacy systems, the goal is to eventually disable it by default. Organizations are encouraged to start migrating to Kerberos to benefit from its superior security and performance​​.

Microsoft’s move to deprecate NTLM in favor of Kerberos is a significant step towards bolstering Windows 11’s security. By introducing new features to enhance Kerberos and phasing out NTLM, Microsoft aims to protect users from advanced cyber threats and provide a more secure authentication environment.

About the author

Avatar photo

Gauri

Gauri, a graduate in Computer Applications from MDU, Rohtak, and a tech journalist for 4 years, excels in covering diverse tech topics. Her contributions have been integral in earning PC-Tablet a spot in the top tech news sources list last year. Gauri is known for her clear, informative writing style and her ability to explain complex concepts in an accessible manner.

Add Comment

Click here to post a comment

Follow Us on Social Media

Web Stories

Best performing phones under Rs 70,000 in December 2024: iQOO 13, OPPO Find X8, and more! realme 14X 5G Review Redmi Note 14 Pro vs Realme 13 Pro Most Affordable 5G Phones Under Rs 12000 in December 2024: Samsung, Redmi, Lava, Poco & More! Best mobile phones under Rs 35,000 in December 2024: realme GT 6T, Vivo T3 Ultra 5G and more! Best Mobile Phones under Rs 25,000 in December 2024: Nothing Phone 2(a), OnePlus Nord CE 4 Lite & More!