How to future-proof Windows networks: Take action now on planned phaseouts and changes

“This is key to advancing both our platform quality and capability such that we can protect the digital estates of our customers and build a safer world for all.”

The message is that Microsoft’s priority is no longer ensuring that legacy technology will be accepted and allowed to continue to be acceptable in a modern network. So, if you are a firm that relies on a traditional active directory, my recommendation is to take action on planned phaseouts and changes to ensure that you aren’t impacted by future Microsoft mandates.

Investigate your NTLM dependencies now

Microsoft has indicated that NTLM needs to be phased out and is beginning to communicate that the protocol needs to be disabled, as it can be abused and used to gain more access to a firm’s resources, through several vulnerabilities:

• NTLM supports Weak password hashing, which makes it susceptible to attacks.
• NTLM uses outdated cryptography, such as the use of the RC4 cipher, and thus can be exploited.
• The protocol’s lack of salting makes it vulnerable to brute-force attacks.

Ensure you assign resources in your firm now to identify how dependent you are on NTLM. Ensure team members are aware of resources and webinars on the topic.

Ensure SMBv1 is disabled

For those still using traditional Active Directory, there are several technologies and protocols that need to be removed sooner rather than later. The use and support of SMB v1 is another example of this. Once again ensure that your IT staff is actively reviewing for dependencies.

If you have not already disabled SMBv1 through group policy, review the guidance to disable it in your network as soon as you can. Download the latest ADMX file to your group policy store and review the settings under Computer Configuration\Administrative Templates\. These are custom templates that need to be downloaded separately and installed in the group policy store.