Microsoft has announced a significant security architecture change: the 30-year-old NTLM (New Technology LAN Manager) authentication protocol will be disabled by default in upcoming Windows releases.
Source: BleepingComputer
Why This Matters
NTLM, introduced in 1993 with Windows NT 3.1, has been a persistent security liability for enterprises. Despite being superseded by Kerberos in Windows 2000, NTLM remained as a fallback authentication method—one that attackers have exploited extensively.
The protocol’s weak cryptography has made it a favorite target for attackers using:
- NTLM relay attacks (PetitPotam, ShadowCoerce, DFSCoerce, RemotePotato0)
- Pass-the-hash attacks for credential theft and lateral movement
Microsoft’s Three-Phase Transition Plan
Phase 1 (Now): Enhanced auditing tools in Windows 11 24H2 and Windows Server 2025 to identify NTLM usage across environments.
Phase 2 (H2 2026): New features including IAKerb and Local Key Distribution Center to address scenarios that currently trigger NTLM fallback.
Phase 3 (Future): Network NTLM disabled by default in future Windows releases. The protocol will remain available but must be explicitly re-enabled via policy controls.
What Organizations Should Do
Security teams should:
- Audit current NTLM usage using Windows built-in tools
- Identify applications and services that still depend on NTLM
- Plan migration to Kerberos-based authentication
- Review Active Directory Certificate Services (AD CS) configurations to prevent relay attacks
This move marks Microsoft’s continued push toward passwordless, phishing-resistant authentication—a welcome change for enterprises tired of dealing with NTLM-related security incidents.
