CONFERENCE On Demand: Cyber AI & Automation Summit - Watch Now
Connect with us

Hi, what are you looking for?


Identity & Access

Microsoft Improving Windows Authentication, Disabling NTLM

Microsoft is adding new features to the Kerberos protocol, to eliminate the use of NTLM for Windows authentication.

Microsoft is pushing for more secure Windows authentication with new features for Kerberos that would eventually eliminate the use of the NTLM protocol.

A challenge-response authentication protocol, NTLM (New Technology LAN Manager) is meant to provide authentication, integrity, and confidentiality, but NTLM is prone to relay attacks and passwords can be brute-forced easily using modern hardware, making the protocol weak.

Kerberos, which builds on symmetric-key cryptography and provides better security guarantees compared to NTLM, has been the default Windows authentication protocol since Windows 2000.

However, Microsoft’s operating system continues to use both NTLM and Kerberos, mainly because the latter cannot be used in certain scenarios, leading to the operating system falling back to the former.

Now, Microsoft says it is working on two new features for Kerberos to cover these scenarios and eliminate the need to use NTLM, thus improving “the security bar of authentication for all Windows users”.

The first feature, Initial and Pass Through Authentication Using Kerberos (IAKerb), is a public extension that “allows a client without line-of-sight to a Domain Controller to authenticate through a server that does have line-of-sight”, Microsoft explains.

With IAKerb, Kerberos messages are proxied to the server on behalf of the client, and the same cryptographic security guarantees that the protocol offers are used to protect the messages in transit, to prevent replay or relay attacks.

“This type of proxy is useful in firewall segmented environments or remote access scenarios,” Microsoft says.

Advertisement. Scroll to continue reading.

The second feature, a local Key Distribution Center (KDC) for Kerberos, relies on the local machine’s Security Account Manager to offer remote authentication of local user accounts via Kerberos.

“This leverages IAKerb to allow Windows to pass Kerberos messages between remote local machines without having to add support for other enterprise services like DNS, Netlogon, or DCLocator. IAKerb also does not require us to open new ports on the remote machine to accept Kerberos messages,” Microsoft notes.

“Authentication through the local KDC uses AES out of the box improving the security of local authentication,” the tech giant also explains.

Additionally, Microsoft is updating those Windows components with NTLM built-in, to shift them into using the Negotiate protocol, thus Kerberos and IAKerb and local KDC. In most cases, these changes will not require configuration, and NTLM will remain as a fallback option.

Microsoft also says it is extending management controls so that administrators can better track and block NTLM usage in their environments, such as service information on existing event viewer logs for NTLM requests, and granular policies at the service level.

“Reducing the use of NTLM will ultimately culminate in it being disabled in Windows 11. We are taking a data-driven approach and monitoring reductions in NTLM usage to determine when it will be safe to disable,” Microsoft notes.

The tech giant is encouraging customers to use the new enhanced controls to prepare for the disablement of NTLM. The same controls, the company notes, will allow customers to reenable NTLM for compatibility reasons, if necessary.

Microsoft also recommends cataloging NTLM use, to learn what applications and services may prevent disabling the protocol, and auditing code for hardcoded usage of NTLM.

Related: Microsoft Makes SMB Signing Default Requirement in Windows 11 to Boost Security

Related: Microsoft Offers Up to $15,000 in New AI Bug Bounty Program

Related: Microsoft Adding New Security Features to Windows 11

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join us as we delve into the transformative potential of AI, predictive ChatGPT-like tools and automation to detect and defend against cyberattacks.


As cybersecurity breaches and incidents escalate, the cyber insurance ecosystem is undergoing rapid and transformational change.


Expert Insights

Related Content

Identity & Access

Zero trust is not a replacement for identity and access management (IAM), but is the extension of IAM principles from people to everyone and...


The private equity firm merges the newly acquired ForgeRock with Ping Identity, combining two of the biggest names in enterprise IAM market.

CISO Strategy

Okta is blaming the recent hack of its support system on an employee who logged into a personal Google account on a company-managed laptop.


Government agencies in the United States have made progress in the implementation of the DMARC standard in response to a Department of Homeland Security...

Identity & Access

Hackers rarely hack in anymore. They log in using stolen, weak, default, or otherwise compromised credentials. That’s why it’s so critical to break the...

Email Security

Many Fortune 500, FTSE 100 and ASX 100 companies have failed to properly implement the DMARC standard, exposing their customers and partners to phishing...

Application Security

Fortinet on Monday issued an emergency patch to cover a severe vulnerability in its FortiOS SSL-VPN product, warning that hackers have already exploited the...

Application Security

Virtualization technology giant VMware on Tuesday shipped urgent updates to fix a trio of security problems in multiple software products, including a virtual machine...