Windows Security: NTLM, Kerberos, and the Road Ahead

In the evolving landscape of Windows security, NTLM and Kerberos hold sway. Our journey unveils NTLM's enduring grip, Kerberos' robustness, and Microsoft's strategic plan to extend Kerberos reach and minimize NTLM usage.

NTLM: The Perplexing Persistence

The NTLM protocol, despite its known vulnerabilities, continues to persist within the Windows ecosystem. The question remains: why does it endure? NTLM relies on aging cryptographic methods, employing HMAC-MD5 encryption for the server’s challenge response. The Achilles’ heel lies in its dependence on the feeble MD4 algorithm to hash user passwords into secret keys. The low entropy of MD4 makes it susceptible to attacks.

These vulnerabilities pave the way for impersonation and potential account compromise. NTLM lacks password salting, enabling offline cracking and pass-the-hash attacks. As hardware capabilities surge, even consumer-grade devices can exploit NTLM’s weaknesses.

Moreover, NTLM is devoid of server authentication, creating opportunities for relay attacks. Malicious servers can interject themselves between clients and intended target servers, compromising security even in secure environments.

Additionally, NTLM is inextricably tied to passwords, restricting compatibility with modern authentication methods like certificates, biometrics, multi-factor authentication, and FIDO keys.

Kerberos: The Sentry of Security

In the labyrinth of NTLM, Kerberos emerges as the bastion of secure authentication. Unlike NTLM, Kerberos is secure and extensible. It deploys robust and flexible cryptographic methods, including server authentication. Kerberos accommodates various modern and flexible credential types, shifting away from the reliance on passwords.

However, Kerberos comes with its complexities. It necessitates the involvement of three parties: the client, the target or application server, and a Key Distribution Center (KDC) acting as the central authenticator. Furthermore, the client must maintain direct line of sight to the KDC, limiting its applicability to specific network configurations.

Streamlining Kerberos Access

Microsoft acknowledges the need to simplify Kerberos access and introduces two extensions to achieve this goal. The first solution, IAKERB (Initial and pass-through Authentication for Kerberos), addresses scenarios where clients have visibility of the application server but not of a KDC. IAKERB allows the target server to function as a proxy, securely relaying Kerberos messages between the client and the KDC. This extension can significantly diminish the reliance on NTLM, especially in remote work scenarios.

IAKERB also acts as a prerequisite for Microsoft’s other innovative feature: local KDC (Key Distribution Center). Local KDC obviates the necessity for an external KDC by embedding a simplified KDC directly into every Windows machine. This simplifies authentication, enabling clients to authenticate directly with target devices, even in workgroup scenarios and peer-to-peer contexts.

Check out the following video for a clear breakdown of NTLM and Kerberos, featuring a demo. It also covers Microsoft’s IAKerb and Local KDC.

Impact on NTML Usage

IAKERB and local KDC are poised to have an immediate and substantial impact on NTLM usage, extending the usability of Kerberos in scenarios where NTLM was previously compulsory. However there are certain conditions that could route back to NTLM, for example:

  • Kerberos does not utilize IP addresses for identifying a target server. In such cases policies could configure Kerberos to accommodate IP addresses.
  • Kerberos cannot replace NTLM if the target server is unfamiliar to the client or a null target is employed. These scenarios will be addressed through additional features in future Windows releases.

Microsoft’s Vision: A Secure Future

Microsoft’s commitment to security extends beyond replacing NTLM. In an upcoming Windows version, their immediate goal is to empower users to detect and minimize NTLM usage within their systems.

The ultimate ambition, spanning multiple Windows releases, is to eradicate all NTLM utilization across the Windows ecosystem.

Seamless Integration with Negotiate

Now, the pivotal question is how to transition to these new solutions. IAKERB and local KDC will be integrated as sub-protocols within the existing SPNEGO (also known as Negotiate) protocol, chosen for its ubiquity across modern Windows devices. Negotiate, Microsoft’s endorsed authentication guidance for over a decade, already includes built-in fallback. When these features are released, the standard Negotiate setup in a Windows environment will attempt three authentication protocols: Kerberos, IAKERB (including local KDC when relevant), and, as a last resort, NTLM if preceding options fail.

Simplified Implementation and Interoperability

As for implementation, the approach will depend on the existing authentication setup. Management and usage of these features fall into three broad categories:

  1. SPNEGO Users – Those already using SPNEGO to negotiate authentication in line with Microsoft’s best practices will automatically benefit from these changes upon system updates, requiring no additional installation or management. SPNEGO or Negotiate will automatically leverage IAKERB and local KDC when feasible. Fallback to NTLM remains available, with potential interoperability concerns.
  2. NTLM Hard-Coding – For those who have hard-coded NTLM as the preferred Windows authentication option, transitioning is relatively straightforward. Replacing “NTLM” with “Negotiate” can often switch the connection from NTLM to Negotiate without additional complexities.
  3. Windows and Non-Windows Interop – Situations involving interoperation between Windows and non-Windows systems necessitate careful consideration. Both ends of the connection must implement IAKERB or be able to interoperate with it for IAKERB to function. Similar requirements apply to local KDC. Non-Windows implementations that do not support IAKERB will continue to have the option of falling back to NTLM. However, as NTLM phases out, long-term planning should involve transitioning to more modern and secure authentication protocols.

Fine-Tuned Control for Administrators

While most interoperability issues are expected to be mitigated by fallback mechanisms, Microsoft also offers a selection of management capabilities to provide administrators with fine-tuned control over this transition.

These capabilities include:

  1. Auditing and Control: Admins can audit and partially control NTLM usage using existing Microsoft tools, gaining insights into components relying heavily on NTLM and selectively prohibiting various NTLM versions.
  2. Per-Device Configuration: IAKERB features per-device configuration options, allowing broad control across an environment or fine-tuning for specific devices.
  3. Per-Service Configurability: Administrators can configure IAKERB on a per-service basis, exempting certain services from these changes.
  4. Registry and Group Policy: The entire IAKERB local KDC change can be toggled via the registry and group policy, granting time for mitigating compatibility and interoperability issues.

The Sunset of NTLM

However, it is worth emphasizing again that NTLM is ultimately on its way out, and businesses shouldn’t merely disable this feature without planning for the future. The sunset of NTLM in Windows is inevitable, and organizations should prepare accordingly. IAKERB and local KDC are just the first phase of a more extensive project. Microsoft is taking a data-driven approach to inform their strategy and timelines, allowing customers and partners adequate time to adapt to each phase.

Today, the capability to disable NTLM within a Windows environment technically exists. However, doing so can break various functions, as NTLM remains necessary in scenarios where other protocols can’t be used. In addition to IAKERB and local KDC, Microsoft will provide more information about scenarios where NTLM is still required.

The multi-phased approach of Microsoft’s strategy will enable organizations to transition at their own pace. As NTLM replacements are adopted in updated Windows versions, Microsoft will move to disable NTLM by default in Windows. IT Managers should anticipate this change and prepare for the reduction in NTLM usage.

While most users will notice no change during this phase, those experiencing issues can temporarily re-enable NTLM. However, the final stage will involve the complete removal of NTLM from Windows, with the timeline determined by Microsoft.

The time has come to take NTLM seriously and plan for its eventual retirement. As the sun sets on NTLM, a brighter, more secure future beckons.

The Strengths of Kerberos

In contrast to NTLM’s aging security posture, Kerberos stands as a contemporary and robust authentication protocol.

It boasts cryptographic strength, relying on modern algorithms to secure communications. One of its prominent advantages is server authentication, ensuring that users connect to the intended servers, thus thwarting malicious relay attacks. Moreover, Kerberos offers support for various forms of credentials, including certificates, biometrics, multi-factor authentication, and FIDO keys, aligning with the industry’s shift towards more advanced and secure authentication methods. While NTLM is declining in the name of Windows security, Kerberos will stay to offer a more formidable defense against evolving threats.

Visuality Systems: Your Trusted SMB Protocol Partner

In this dynamic landscape, the commitment to security extends to partnerships and beyond protocols. Visuality Systems, with its unwavering dedication to secure SMB communications, stands as your trusted ally. We offer SMB software libraries that promise the most updated and secure SMB protocol solutions.

SMB is a network file-sharing protocol developed by Microsoft. It’s instrumental in sharing files, printers, and other resources on a network. SMB operates over multiple transport protocols, and its security is closely tied to the authentication mechanisms in use, which brings us back to NTLM and Kerberos.

When you access shared files or resources over SMB, your authentication method impacts the security of your communication. If NTLM is employed and you’re unable to use Kerberos due to limitations like a lack of line of sight to the KDC, SMB still offers some measure of security through TLS. However, this setup isn’t as secure as pure Kerberos authentication.

In a strategic partnership with Microsoft, Visuality Systems shares the vision of a secure digital future. Together, we navigate the intricate path of Windows security with confidence.

Share Via
Related Articles
Share Via
Table of Contents

Visuality systems uses technical, analytical, marketing, and other cookies. These files are necessary to ensure smooth operation of site and services and help us remember you and your settings. For details, please read our Privacy policy

Skip to content