Article Details

Microsoft shows venerable and vulnerable NTLM security protocol the door. Time to get moving if you still rely on this deprecated feature. Microsoft has finally decided to add the venerable NTLM authentication protocol to the Deprecated Features list. The announcement means that admins dragging their feet to move to something more secure must start making plans. Active feature development for all versions of NTLM (NT Lan Manager) has now ceased, although the protocol will linger for a while. Microsoft said: "Use of NTLM will continue to work in the next release of Windows Server and the next annual release of Windows." "Calls to NTLM should be replaced by calls to Negotiate, which will try to authenticate with Kerberos and only fall back to NTLM when necessary." The writing has been on the wall for NTLM for some time. Microsoft was blunt in its assessment in October 2023, although it acknowledged that there were still things that could not be done with Kerberos. It stated: "Our end goal is eliminating the need to use NTLM at all." Handy, because the company broke the authentication protocol for some users with the April 2024 security update. NTLM traffic could suddenly spike after the update was installed on domain controllers. Although Microsoft resolved the issue in the May 14 update, the incident will have reminded affected organizations to catalog their NTLM use. As Reg readers know, NTLM first turned up in 1993 with Windows NT 3.1. It is a basic challenge and response system where a user proves who they are via a password. It doesn't need a local connection to a Domain Controller and works even when the target server is unknown. However, its many vulnerabilities, including some rather weak encryption, have made it a target for attackers. NTLM's relative convenience has resulted in it being hardcoded into several applications, including some Windows components. Microsoft made Kerberos the default Windows authentication protocol in 2000, but the operating system could still fall back to NTLM in scenarios where Kerberos could not be used. Microsoft has since worked to remove or mitigate those scenarios, including dealing with Windows components hardcoded to use NTLM. It said: "We are taking a data-driven approach and monitoring reductions in NTLM usage to determine when it will be safe to disable." The addition of the protocol to the Deprecated Features list means that time is fast approaching.