Microsoft is pushing for more secure Windows authentication with new features for Kerberos that would eventually eliminate the use of the NTLM protocol.
A challenge-response authentication protocol, NTLM (New Technology LAN Manager) is meant to provide authentication, integrity, and confidentiality, but NTLM is prone to relay attacks and passwords can be brute-forced easily using modern hardware, making the protocol weak.
Kerberos, which builds on symmetric-key cryptography and provides better security guarantees compared to NTLM, has been the default Windows authentication protocol since Windows 2000.
However, Microsoft’s operating system continues to use both NTLM and Kerberos, mainly because the latter cannot be used in certain scenarios, leading to the operating system falling back to the former.
Now, Microsoft says it is working on two new features for Kerberos to cover these scenarios and eliminate the need to use NTLM, thus improving “the security bar of authentication for all Windows users”.
The first feature, Initial and Pass Through Authentication Using Kerberos (IAKerb), is a public extension that “allows a client without line-of-sight to a Domain Controller to authenticate through a server that does have line-of-sight”, Microsoft explains.
With IAKerb, Kerberos messages are proxied to the server on behalf of the client, and the same cryptographic security guarantees that the protocol offers are used to protect the messages in transit, to prevent replay or relay attacks.
“This type of proxy is useful in firewall segmented environments or remote access scenarios,” Microsoft says.
The second feature, a local Key Distribution Center (KDC) for Kerberos, relies on the local machine’s Security Account Manager to offer remote authentication of local user accounts via Kerberos.
“This leverages IAKerb to allow Windows to pass Kerberos messages between remote local machines without having to add support for other enterprise services like DNS, Netlogon, or DCLocator. IAKerb also does not require us to open new ports on the remote machine to accept Kerberos messages,” Microsoft notes.
“Authentication through the local KDC uses AES out of the box improving the security of local authentication,” the tech giant also explains.
Additionally, Microsoft is updating those Windows components with NTLM built-in, to shift them into using the Negotiate protocol, thus Kerberos and IAKerb and local KDC. In most cases, these changes will not require configuration, and NTLM will remain as a fallback option.
Microsoft also says it is extending management controls so that administrators can better track and block NTLM usage in their environments, such as service information on existing event viewer logs for NTLM requests, and granular policies at the service level.
“Reducing the use of NTLM will ultimately culminate in it being disabled in Windows 11. We are taking a data-driven approach and monitoring reductions in NTLM usage to determine when it will be safe to disable,” Microsoft notes.
The tech giant is encouraging customers to use the new enhanced controls to prepare for the disablement of NTLM. The same controls, the company notes, will allow customers to reenable NTLM for compatibility reasons, if necessary.
Microsoft also recommends cataloging NTLM use, to learn what applications and services may prevent disabling the protocol, and auditing code for hardcoded usage of NTLM.