Microsoft shows venerable and vulnerable NTLM security protocol the door
- Reference: 1717675205
- News link: https://www.theregister.co.uk/2024/06/06/microsoft_deprecates_ntlm/
- Source link:
The [1]announcement means that admins dragging their feet to move to something more secure must start making plans.
Active feature development for all versions of NTLM (NT Lan Manager) has now ceased, although the protocol will linger for a while. Microsoft said: "Use of NTLM will continue to work in the next release of Windows Server and the next annual release of Windows."
[2]
"Calls to NTLM should be replaced by calls to Negotiate, which will try to authenticate with Kerberos and only fall back to NTLM when necessary."
[3]
[4]
The writing has been on the wall for NTLM for some time. Microsoft was blunt in its [5]assessment in October 2023, although it acknowledged that there were still things that could not be done with Kerberos. It stated: "Our end goal is eliminating the need to use NTLM at all."
Handy, because the company [6]broke the authentication protocol for some users with the April 2024 security update. NTLM traffic could suddenly spike after the update was installed on domain controllers. Although Microsoft resolved the issue in the May 14 update, the incident will have reminded affected organizations to catalog their NTLM use.
[7]Microsoft Research chief scientist has no issue with Windows Recall
[8]Microsoft expects further concessions for Teams amid EC antitrust probe
[9]Microsoft fixes the fix for the Windows Server 2019 NTLM problem
[10]Microsoft confirms spike in NTLM authentication traffic after Windows Server patch
As Reg readers know, NTLM first turned up in 1993 with Windows NT 3.1. It is a basic challenge and response system where a user proves who they are via a password. It doesn't need a local connection to a Domain Controller and works even when the target server is unknown. However, its many vulnerabilities, including some rather weak encryption, have made it a [11]target for attackers .
NTLM's relative convenience has resulted in it being hardcoded into several applications, including some Windows components. Microsoft made Kerberos the default Windows authentication protocol in 2000, but the operating system could still fall back to NTLM in scenarios where Kerberos could not be used.
[12]
Microsoft has since worked to remove or mitigate those scenarios, including dealing with Windows components hardcoded to use NTLM. It said: "We are taking a data-driven approach and monitoring reductions in NTLM usage to determine when it will be safe to disable."
The addition of the protocol to the Deprecated Features list means that time is fast approaching. ®
Get our [13]Tech Resources
[1] https://learn.microsoft.com/en-au/windows/whats-new/deprecated-features
[2] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/front&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=2&c=2ZmHdIqwe9IT7lpu-sIGaYAAAAI4&t=ct%3Dns%26unitnum%3D2%26raptor%3Dcondor%26pos%3Dtop%26test%3D0
[3] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/front&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=4&c=44ZmHdIqwe9IT7lpu-sIGaYAAAAI4&t=ct%3Dns%26unitnum%3D4%26raptor%3Dfalcon%26pos%3Dmid%26test%3D0
[4] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/front&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=3&c=33ZmHdIqwe9IT7lpu-sIGaYAAAAI4&t=ct%3Dns%26unitnum%3D3%26raptor%3Deagle%26pos%3Dmid%26test%3D0
[5] https://techcommunity.microsoft.com/t5/windows-it-pro-blog/the-evolution-of-windows-authentication/ba-p/3926848
[6] https://www.theregister.com/2024/05/02/microsoft_ntlm_windows_server/
[7] https://www.theregister.com/2024/06/06/microsoft_research_recall/
[8] https://www.theregister.com/2024/06/05/microsoft_expects_further_concessions_for/
[9] https://www.theregister.com/2024/05/24/microsoft_patch_patch/
[10] https://www.theregister.com/2024/05/02/microsoft_ntlm_windows_server/
[11] https://www.theregister.com/2017/07/11/microsoft_patches_nt_lan_manager/
[12] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/front&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=4&c=44ZmHdIqwe9IT7lpu-sIGaYAAAAI4&t=ct%3Dns%26unitnum%3D4%26raptor%3Dfalcon%26pos%3Dmid%26test%3D0
[13] https://whitepapers.theregister.com/
Depreciating NTLM
So what will be the replacement in workgroup / peer-to-peer small SoHo Windows environments? And what about legacy networked devices that are still in use? Will Win11 just kick this / them all to the curb?
Obligatory Simpsons
Why now?
https://frinkiac.com/video/S09E15/O9h3RCKgVT4lHaO-J6OWj6_rce4=.gif
Challenge-Response
There's no weakness in Challenge-Response protocols themselves. It's just that NTLM originally used SHA-1 and 64-bit DES, which is outdated and weak. Newer versions used MD5, which too has been shown to be insecure.
They could've upgraded to SHA-256 and AES-256 with limited or no fallback options, which would've made it secure once and for all, but didn't.
Re: Challenge-Response
"NTLM - secure once and for all" --see icon-->
Well, I suppose now that it has been deprecated, it soon will be "secure once and for all"..
"that time is fast approaching"
Gotta do something to keep those juicy US Government contracts . . .