Microsoft Officially Deprecates NTLM Authentication Protocol in Windows

by | Jun 21, 2024 | Microsoft, Threat Discovery

NTLM Deprecated

Microsoft Officially Deprecates NTLM Authentication Protocol in Windows

In a recent announcement, Microsoft has declared the NTLM (NT LAN Manager) authentication protocol officially obsolete. This move, though seemingly drastic considering Windows’ well-known backward compatibility, has been anticipated for some time. Both Microsoft and its employees have been hinting at this shift since October 2023 through various channels.

Figure 1: Microsoft Declares NTLM Authentication Protocol Obsolete

This announcement was highlighted in a talk by Steve Syfuhs, Principal Engineer at Microsoft, and in a blog post by Matthew Palko on the Microsoft blog. Both discussed the evolution of authentication in Windows and how NTLM is being superseded by Kerberos. NTLM has long been a significant security concern, necessitating fortification measures in Windows to mitigate risks.

It was on June 11, 2024, that Microsoft officially added NTLM to the deprecated features list for Windows, signaling the end of its active maintenance in favor of protocols like Kerberos. While NTLM will continue to function in the upcoming versions of Windows Server and the next annual Windows update, the recommendation is to prioritize Kerberos authentication wherever possible. NTLM will only be used when absolutely necessary.

ntlm-deprecated

Figure 3: NTLM Listed as a Deprecated Feature in Windows

NTLM Functionality and Risks

NTLM, which had a predecessor in LM (LAN Manager), has always been problematic. LM, created in 1987 during the development of OS/2 by Microsoft and IBM, was plagued by vulnerabilities, particularly its hash algorithm.

Creating LM hashes involved several restrictions: passwords were limited to 14 characters, converted to uppercase, and segmented into two 7-character hashes, making them susceptible to brute-force attacks. NTLM, which succeeded LM in 1993 with Windows NT 3.1, used a challenge-response mechanism to authenticate users. Here’s how NTLM works:

  1. NEGOTIATE_MESSAGE: The client initiates a negotiation with the server, announcing its security capabilities.
  2. CHALLENGE_MESSAGE: The server responds with a nonce (random number) for the client to encrypt using the hash of its password.
  3. AUTHENTICATE_MESSAGE: The client sends the encrypted nonce along with other authentication data.
    • In an Active Directory environment, the server forwards this data to the domain controller for verification.
  4. Verification: The domain controller verifies the response and informs the server, which either authenticates the user or returns an error.

This process never directly uses the user’s password, only its NTLM hash stored in the Security Account Manager (SAM). However, due to the lack of “salting” and the equivalence of the NTLM hash to the password, the PassTheHash attack remains viable. This attack allows an intruder with the NTLM hash to authenticate without needing the plaintext password.

Transition to Kerberos

Kerberos, developed by MIT in 1989, is an open-source authentication protocol supported by a large community, including Microsoft. Unlike NTLM’s challenge-response, Kerberos uses a ticket-based system for authentication, involving components like the Key Distribution Center (KDC), Authentication Server (AS), and Ticket Granting Server (TGS).

Kerberos aims to be the universal authentication platform for networks globally. It is the default authentication protocol, while NTLM is used in specific scenarios like workgroup configurations, local authentication on non-domain controllers, or applications that do not support other protocols.

Using tools like a Fortianalyzer, you can determine whether Kerberos or NTLM is in use. Authorization headers starting with “YII” indicate Kerberos, while those starting with “TlR” indicate NTLM.