Microsoft has initiated a formal, three-stage plan to retire the New Technology LAN Manager (NTLM) Authentication protocol across its Windows operating system. The company announced the phased approach as part of a long-term strategy to transition enterprise environments to the more secure Kerberos authentication standard. This development follows Microsoft’s initial announcement over two years ago that it would deprecate the legacy NTLM technology.
The decision to phase out NTLM is rooted in security concerns. Microsoft has cited the protocol’s susceptibility to weaknesses that can facilitate relay attacks. In such attacks, adversaries can intercept and forward authentication attempts to gain unauthorized access to network resources.
Background on NTLM and Kerberos
NTLM, or New Technology LAN Manager, is a suite of security protocols that has provided authentication for Windows networks for decades. It was introduced as an upgrade to the older LAN Manager (LM) protocol. While it has been a foundational component, security researchers have long identified vulnerabilities within NTLM that make it a target for cyber attacks.
Kerberos, named after the three-headed dog from Greek mythology, is a ticket-based network authentication protocol. It is considered significantly more secure than NTLM for several reasons. Kerberos uses strong cryptography for mutual authentication between a client and a server, helping to prevent eavesdropping and replay attacks. It has been the default and preferred authentication protocol in Windows domains since the introduction of Windows 2000.
The Three-Phase Deprecation Plan
Microsoft’s plan to remove NTLM is structured to give organizations ample time to prepare and transition. The first phase focuses on disabling NTLM in Windows 11. This initial stage involves turning off NTLM by default in the upcoming annual feature update for the operating system. Microsoft will provide tools and guidance for IT administrators to audit their environments for NTLM usage before this change takes effect.
The second phase will expand these efforts. It will introduce additional features to Windows for disabling NTLM and will see the protocol turned off by default in more Windows versions. This stage is designed to increase the momentum toward a Kerberos-only environment across the entire Windows ecosystem.
The third and final phase will involve the complete removal of all NTLM components from the Windows operating system. Microsoft has not provided a specific public timeline for this ultimate step, indicating it will depend on the progress and feedback from the earlier Phases. The company’s goal is to eliminate the security risks associated with NTLM entirely.
Implications for Organizations
For many modern enterprises already using Active Directory in a Windows domain environment, the transition may be straightforward, as Kerberos is already the primary authentication method. However, challenges may arise for organizations using legacy applications, certain third-party software, or systems that rely on local accounts that specifically require NTLM.
Microsoft is advising IT and security teams to begin preparing immediately. The company recommends using built-in Windows event logging and other auditing tools to identify all instances of NTLM authentication within their networks. This will allow teams to find and update or replace applications and services that depend on the older protocol before it is disabled.
The shift away from NTLM is part of a broader industry movement toward stronger identity and access management. Cybersecurity frameworks increasingly recommend or mandate the use of robust, modern authentication mechanisms to protect against credential-based attacks.
Looking ahead, Microsoft is expected to release detailed technical documentation, group policies, and management tools to assist with the transition throughout each phase of the plan. The company will likely monitor adoption rates and industry feedback closely before proceeding from one stage to the next, ensuring the change does not disrupt critical business operations for its customers.
Source: GeekWire
