Microsoft has announced this Plans To eliminate NT LAN Manager (NTLM) in Windows 11 in the future, as it focuses on alternative methods of authentication and enhanced security.
“The focus is on enhancing the Kerberos authentication protocol, which has been the default since 2000, and reducing reliance on NT LAN Manager (NTLM),” the tech giant said. “New features of Windows 11 include raw authentication, pass-through authentication using Kerberos (IAKerb), and a local key distribution center (Center for Disease Control) for Kerberos.”
IAKerb enables clients to authenticate with Kerberos across a variety of network topologies. The second feature, Kerberos Local Key Distribution Center (KDC), extends Kerberos support for local accounts.
NTLM was first introduced in the 1990s A set of security protocols It aims to provide authentication, integrity and confidentiality to users. It is a single sign-on (SSO) tool based on a challenge response protocol that proves to the server or domain controller that the user knows the password associated with the account.
It has since been replaced by another authentication protocol called Kerberos since the release of Windows 2000, although NTLM continues to be used as a fallback mechanism.
“The main difference between NTLM and Kerberos is how the two protocols manage authentication. NTLM relies on a three-way handshake between client and server to authenticate the user,” CrowdStrike Notes. “Kerberos uses a two-part process that leverages a ticket granting service or key distribution center.”
Another important distinction is that while NTLM relies on password hashing, Kerberos makes use of encryption.
Besides NTLM Latent security vulnerabilities,The technology has become vulnerable to relay attacks, which may allow bad actors Intercepting authentication attempts And earn Unauthorized entry for network resources.
Microsoft said it is also working to address hard-coded instances of NTLM in its components in preparation for the transition to eventually disabling NTLM in Windows 11, adding that it is making improvements that encourage the use of Kerberos instead of NTLM.
“All of these changes will be enabled by default and will not require configuration for most scenarios,” said Matthew Balko, Microsoft’s chief product management officer for enterprise and security. “NTLM will remain available as an alternative to maintain current compatibility.”