Microsoft has gone ahead to disclose its intention to phase out NTLM authentication in windows 11. Set to initiate Kerberos with a new fallback mechanism in place.
The tech giant sets to prioritizes security in Windows, with its widespread use by over a billion users. Sometime Last year, the company announced the removal of SMB1 in Windows 11 Home, and it now plans to transition away from NT LAN Manager (NTLM) user authentication in favor of Kerberos.
In an article released on October 11, 2023, Microsoft addressed the long-standing use of Kerberos as the default authentication protocol on Windows for over two decades. However, recognizing its limitations in certain situations that necessitate NTLM; Microsoft is actively working on new fallback mechanisms in Windows 11, including Initial and Pass Through Authentication Using Kerberos (IAKerb) and a local Key Distribution Center (KDC) for Kerberos.
NTLM still relevant due to its advantages, including independence from a local network connection to a Domain Controller (DC) and not needing knowledge of the target server’s identity. Developers often choose NTLM for its ease, ability to hard-code it in applications and services without considering more secure and extensible protocols like Kerberos. However, the security enhancements of Kerberos can’t be leveraged when NTLM is hard-coded into applications, posing challenges for organizations seeking to transition away from the legacy protocol.
To create other possible means to bypassing the limitations of Kerberos, and making it a better choice for developers and cooperate organizations, Microsoft decides to launch a new feature in Windows 11 that allows modern protocols a better option for Applications and Services.
The initial modification is IAKerb; a public extension facilitating authentication with a Domain Controller (DC) via an intermediary server with line-of-sight access to the infrastructure. IAKerb utilizes the Windows authentication stack to proxy Kerberos requests, eliminating the need for the client application to directly access the DC. This approach ensures the cryptographic encryption and security of messages in transit, rendering IAKerb suitable for remote authentication scenarios.
Additionally, a local Key Distribution Center (KDC) for Kerberos has been introduced to support local accounts. This solution combines IAKerb and the local machine’s Security Account Manager (SAM) to enable message exchange between remote local machines without relying on DNS, netlogon, or DCLocator. Notably, it doesn’t necessitate the opening of new communication ports, with traffic encrypted using the Advanced Encryption Standard (AES) block cipher.
In forthcoming NTLM depreciation updates, Microsoft plans to modify Windows components that previously relied on hard-coded NTLM usage. Instead, they will transition to the Negotiate protocol to harness the benefits of IAKerb and the local KDC for Kerberos. NTLM will persist as a supported fallback mechanism to ensure compatibility with existing systems.
Concurrently, Microsoft is strengthening NTLM management controls to furnish organizations with enhanced visibility into NTLM utilization within their infrastructure. This will grant them finer-grained control over disabling the protocol for specific services.
The ultimate objective is to deactivate NTLM as the default in Windows 11, contingent on telemetry data supporting this transition. In the interim, Microsoft advises organizations to monitor NTLM usage, scrutinize code that hard-codes this legacy protocol, and stay informed on subsequent updates regarding these changes.
Please do let us know in the comment section what are your thoughts about this.