Windows 11 is set to kill off NTLM authentication, a legacy authentication protocol that is considered to be insecure. NTLM has been around for decades and is used by many applications and services, but it has several vulnerabilities that have been exploited by attackers.
Microsoft is working to replace Windows 11’s NTLM authentication with Kerberos
Microsoft is working to replace NTLM with more secure authentication protocols, such as Kerberos and TLS. In Windows 11, NTLM authentication will be disabled by default for Remote Procedure Call (RPC) traffic. This means that applications and services that use NTLM for RPC will need to be updated to use a more secure authentication protocol.
Microsoft has been encouraging customers to migrate to Kerberos for many years, but NTLM is still widely used in many environments. This is because some older applications and devices do not support Kerberos.
Kerberos is a network authentication protocol that works on the basis of tickets to allow nodes communicating over a non-secure network to prove their identity to one another in a secure manner. It uses a trusted third party, called the Key Distribution Center (KDC), to authenticate clients and servers. The KDC then issues tickets that prove the identity of clients and servers, allowing secure communication and preventing unauthorized access.
Microsoft is working on new features for Windows 11 that will make it easier for customers to disable NTLM authentication. These features include:
- Initial and Pass-Through Authentication Using Kerberos (IAKerb): This feature will allow Kerberos authentication to be used in cases where NTLM is currently used, such as when logging on to a domain controller or accessing a file share.
- Local Key Distribution Center (KDC) for Kerberos: This feature will allow Kerberos authentication to be used even when there is no connection to a domain controller.
Microsoft has not yet announced a specific date for when NTLM authentication will be disabled in Windows 11 by default. However, they have stated that they will take a data-driven approach and monitor reductions in NTLM usage to determine when it is safe to do so.
In the meantime, customers can use the enhanced controls that Microsoft is providing to get a head start on disabling NTLM authentication. Once disabled by default, customers will also be able to use these controls to reenable NTLM for compatibility reasons.