Search This Blog
Powered by Blogger.

Blog Archive

Labels

Footer About

Footer About

Labels

Load More
Trendy Right Now

Popular Posts

Showing posts with label NTLM phase-out. Show all posts
Windows security update
Kerberos authentication Microsoft NTLM deprecation NTLM authentication NTLM phase-out Technology Windows security update

Microsoft Outlines Three-Stage Plan to Disable NTLM and Strengthen Windows Security

 

Microsoft has detailed a structured, three-phase roadmap to gradually retire New Technology LAN Manager (NTLM), reinforcing its broader push toward more secure, Kerberos-based authentication within Windows environments.

The announcement follows Microsoft’s earlier decision to deprecate NTLM, a legacy authentication mechanism that has long been criticized for its security shortcomings. Officially deprecated in June 2024, NTLM no longer receives updates, as its design leaves systems vulnerable to relay attacks and unauthorized access.

"NTLM consists of security protocols originally designed to provide authentication, integrity, and confidentiality to users," Mariam Gewida, Technical Program Manager II at Microsoft, explained. "However, as security threats have evolved, so have our standards to meet modern security expectations. Today, NTLM is susceptible to various attacks, including replay and man-in-the-middle attacks, due to its use of weak cryptography."

Despite its deprecated status, Microsoft acknowledged that NTLM remains widely used across enterprise networks. This is largely due to legacy applications, infrastructure constraints, and deeply embedded authentication logic that make migration difficult. Continued reliance on NTLM increases exposure to threats such as replay, relay, and pass-the-hash attacks.

To address these risks without disrupting critical systems, Microsoft has introduced a phased strategy aimed at eventually disabling NTLM by default.

Phase 1 focuses on improving visibility and administrative control by expanding NTLM auditing capabilities. This helps organizations identify where NTLM is still in use and why. This phase is already available.

Phase 2 aims to reduce migration barriers by introducing tools such as IAKerb and a local Key Distribution Center (KDC), while also updating core Windows components to favor Kerberos authentication. These changes are expected to roll out in the second half of 2026.

Phase 3 will see NTLM disabled by default in the next release of Windows Server and corresponding Windows client versions. Organizations will need to explicitly re-enable NTLM using new policy controls if required.

Microsoft described the move as a key milestone toward a passwordless and phishing-resistant ecosystem. The company urged organizations that still depend on NTLM to audit usage, identify dependencies, transition to Kerberos, test NTLM-disabled configurations in non-production environments, and enable Kerberos enhancements.

"Disabling NTLM by default does not mean completely removing NTLM from Windows yet," Gewida said. "Instead, it means that Windows will be delivered in a secure-by-default state where network NTLM authentication is blocked and no longer used automatically."

"The OS will prefer modern, more secure Kerberos-based alternatives. At the same time, common legacy scenarios will be addressed through new upcoming capabilities such as Local KDC and IAKerb (pre-release)."


Read more »
Subscribe to: Comments (Atom)