NTLM (New Technology LAN Manager) is an authentication protocol developed by Microsoft for Windows operating systems. Its first introduction dates back to the days of Windows NT, although NTLM is still widely used today. Beyond the acronyms, NTLM is used foruser authentication and therefore to ensure secure access to network resources such as shared folders or printers. Also usable for authentication on Windows domains and for Directory services, Microsoft has tried to ban its use due to security weaknesses intrinsic problems from which the protocol suffers.
In another article we saw what NTLM is, how it works and what types of cyber attacks they can be used to trace users’ personal passwords and assume the digital identity of others.
We said that Microsoft discourages the use of NTLM, preferring the use of more modern and secure authentication protocols, such as Kerberos. The fact is that if the adoption of this protocol should now be almost a given for IT administrators, Microsoft notes that it is also appropriate to evolve the authentication mechanisms used by professionals and private users.
Evolve the authentication system on Windows 11
Kerberos it has been the default authentication protocol for Windows since 2000, but there are still scenarios where it cannot be used and where the operating system resorts to NTLM. Matthew Palko explains that Microsoft engineers are working on new and more advanced authentication features for Windows 11: Initial and Pass Through Authentication with Kerberos (IAKerb) and a local Kerberos key distribution system (Key Distribution Center).
NTLM presents advantages which have made its use popular in the past: it does not require the system to be connected to a domain controller, it is the only protocol supported when using local accounts, it works when the destination server is not known.
Palko notes that these benefits have led developers of many applications and services to code using NTLM instead of relying on authentication protocols more modern and secure like Kerberos. Due to the intrinsic problems linked to the use of NTLM, companies can certainly block the use of this protocol, however risking running into various problems with applications that use NTLM hardcoded inside them.
Kerberos also must have access to a domain controller and requires explicit information about the destination server. These requirements cannot always be met, which causes authentication problems if NTLM is not available.
IAKerb e Key Distribution Center for Kerberos: what they are and how they work
Microsoft explains that Windows 11 is about to be enriched with a couple of new ones security features aimed precisely at improving the user authentication mechanism. IAKerbalready mentioned previously, is an extension of the Kerberos protocol that allows a client not able to rely on a domain controller to authenticate via a directly reachable server.
The mechanism relies on the cryptographic security guarantees that Kerberos can offer and protects messages in transit preventing any attacks replay o relay.
The second innovation to which Microsoft refers, namely KDC (Key Distribution Center) is an epochal change. KDC, in fact, enables the possibility of using Kerberos authentication with local accounts. Windows 11 thus becomes capable of pass Keberos messages even between local machines without the need to add dedicated systems.
In the article published by Microsoft there is also a MEA culpa between the lines: Palko says in fact that the Redmond company is also removing instances of NTLM hardcoded in the operating system components. In other words, it’s not just third-party developers who have used that practice.