Aside from the lack of password security, NTLM has several other behaviors that make it a hacker’s paradise. First, it doesn’t require any local connection to a Windows Domain. Also, it is needed when using a local account and when you don’t know who the intended target server is. On top of these weaknesses, it was invented so long ago — indeed before Active Directory was even considered — that it doesn’t support modern cryptographic techniques, making its simple unsalted hashing system trivially easy to break and decode.
Kerberos versus NTLM
Those modern techniques are thankfully part of the Kerberos protocols, which is what Microsoft has been trying to replace NTLM with over the past several years. Since Windows Server 2000, it has been the default choice for authentication. “NTLM relies on a three-way handshake between the client and server to authenticate a user,” wrote Crowdstrike’s Narendran Vaideeswaran in a blog in April 2023. “Kerberos uses a two-part process that leverages a ticket granting service or key distribution center.” That ticketing process means that Kerberos is secure by design, something that never could be claimed for NTLM.
One of the reasons for NTLM’s enduring reign is that it was easy to implement. This is because when Kerberos (or something else) didn’t work properly, NTLM was the fallback choice, which means if a user or an app tries to authenticate with Kerberos and fails, it automatically (in most cases) tries to use NTLM protocols. “For example, if you have workgroups with local user accounts, where the user is authenticated directly by the application server, Kerberos won’t work,” wrote TechRepublic. Microsoft has said that local users still make up a third of NTLM usage, one of the reasons why Microsoft wants to maintain its older systems. Another pain point is the protocol used to implement Remote Desktop Services, which can often fallback to NTLM. However, “Microsoft supports legacy security configurations long past their expiration dates,” writes Adrian Amos in a blog post from November 2023.
Microsoft’s pleas to encourage NTLM’s replacement were somewhat disingenuous since there weren’t any easy fixes. In the mid-1990s they offered an updated version 2 of NTLM that was supposed to solve some of the security issues. It was a half-hearted effort, and v2 is still rife with exploits. One X user posted this comment in April: “For about a decade or more, Microsoft took an approach that customers who wanted to be more foundationally secure needed to either possess significant expertise and determination to implement non-default and obscure things or shift to using its new MS cloud stuff. But now Microsoft is finally launching a major effort to actually help customers transition away from NTLM without unacceptably breaking compatibility.”
That happened last fall, when Microsoft documented the evolution of Windows authentication services. They said they were “expanding the reliability and flexibility of Kerberos and reducing dependencies on NTLM.” That post mentions an auditing tool that can discover NTLM instances across your networks, and a feature called IAKerb that allows clients to use Kerberos in more diverse network topologies and adds encryption to the authentication dialog. However, NTLM is still alive as a fallback option. Eventually, NTLM will be disabled completely in Windows 11, although no precise timeline was indicated.
How to get rid of NTLM
But moving completely off NTLM isn’t going to be easy. Enterprises need to follow a series of steps to finally rid themselves of the NTLM scourge. First, you should perform a protocol audit that will discover all the various nooks and hidden apps that it resides, including legacy clients that are running unpatched and ancient versions of Windows (such as Windows 95 or 98) that can’t support Kerberos.
