Microsoft Retiring NTLM FINALLY

Posted on Sunday, Oct 22, 2023 by Ned Bellavance

Featured in this episode of Tech News of the Week

For those not deeply steeped in the Microsoft ecosystem, NTLM, or NT LAN Manager is an authentication system used between two Windows systems that may not otherwise share a common authentication authority. As the NT in its name implies, the protocol has been around since the Windows NT days, before the advent of Kerberos and Active Directory.

NTLM has also been the source of countless vulnerabilities and hacks over the last two decades, and despite Kerberos being the default authentication protocol since Windows 2000, somehow NTLM has stuck around, because Microsoft. Indeed, many applications and services hardcoded NTLM into their stack, causing them to break if an organization chose to disable NTLM.

Kerberos, as implemented by Microsoft, assumes line-of-site to a domain controller for authentication, making it unsuitable for many use cases. Starting in future versions of Windows 11, Microsoft will be rolling out IAKerb and local KDC, which remove the line-of-site requirement for domain controllers and supplant the need to use NTLM at all. Future versions of Windows may start shipping with NTLM disabled or wholly deprecated, so administrators are encouraged to start taking stock of apps using NTLM and plan accordingly.

NTLM has always been fairly insecure, and authentication has largely moved on to better models. Security conscious organizations disabled NTLM on the domain as soon as they could, and now it seems Microsoft will do the same for everyone else. As Lizzo said, “it’s about damn time”.

As a quick aside, VBScript is also being removed from future Windows releases. If we’re talking attack vectors for Windows, NTLM and VBScript are like peanut butter and chocolate.