Microsoft has introduced that it plans to get rid of NT LAN Supervisor (NTLM) in Home windows 11 sooner or later, because it pivots to various strategies for authentication and bolster safety.
“The main focus is on strengthening the Kerberos authentication protocol, which has been the default since 2000, and decreasing reliance on NT LAN Supervisor (NTLM),” the tech large stated. “New options for Home windows 11 embody Preliminary and Move Via Authentication Utilizing Kerberos (IAKerb) and a neighborhood Key Distribution Heart (KDC) for Kerberos.”
IAKerb allows shoppers to authenticate with Kerberos throughout a various vary of community topologies. The second function, a neighborhood Key Distribution Heart (KDC) for Kerberos, extends Kerberos assist to native accounts.
First launched within the Nineties, NTLM is a suite of safety protocols meant to offer authentication, integrity, and confidentiality to customers. It’s a single sign-on (SSO) software that depends on a challenge-response protocol that proves to a server or area controller {that a} consumer is aware of the password related to an account.
It has since been supplanted by one other authentication protocol referred to as Kerberos for the reason that launch of Home windows 2000, though NTLM continues for use as a fallback mechanism.
“The principle distinction between NTLM and Kerberos is in how the 2 protocols handle authentication. NTLM depends on a three-way handshake between the consumer and server to authenticate a consumer,” CrowdStrike notes. “Kerberos makes use of a two-part course of that leverages a ticket granting service or key distribution heart.”
One other essential distinction is that whereas NTLM depends on password hashing, Kerberos leverages encryption.
In addition to NTLM’s inherent safety weaknesses, the expertise has been rendered susceptible to relay assaults, probably permitting dangerous actors to intercept authentication makes an attempt and acquire unauthorized entry to community sources.
Microsoft stated it is also engaged on addressing hard-coded NTLM situations in its elements in preparation for the shift to in the end disable NTLM in Home windows 11, including it is making enhancements that encourage the usage of Kerberos as an alternative of NTLM.
“All these modifications can be enabled by default and won’t require configuration for many situations,” Matthew Palko, Microsoft’s senior product administration lead in Enterprise and Safety, stated. “NTLM will proceed to be accessible as a fallback to keep up current compatibility.”
