Introduction
In today’s cybersecurity landscape, ensuring robust protection for authentication protocols is critical. That’s where NTLM blocking, introduced as part of Microsoft’s Secure Future Initiative and fully supported by Visuality Systems SMB protocol software libraries, comes into play. This post explores what NTLM blocking is, why it’s important, how it elevates network security, and compares NTLM with Kerberos to highlight the benefits of modern authentication.
With the release of Windows 11 version 24H2 and Windows Server 2025, organizations now benefit from enhanced SMB security measures designed to safeguard data, users, and overall infrastructure.
Watch our video tutorial for a deep dive into NTLM blocking and its security benefits.
What is NTLM Blocking?
NTLM (NT LAN Manager) is an older authentication protocol that relies on HMAC-MD5 and MD4 algorithms vulnerable to modern intrusion techniques. NTLM blocking prevents outbound NTLM requests from being sent to potentially malicious servers. This measure not only protects authentication data but also ensures that stronger methods like Kerberos take precedence in domain environments.
What Is Kerberos?
Kerberos is a modern authentication protocol that has become the gold standard in domain environments. Developed by MIT and adopted by Microsoft, Kerberos uses a ticket-based system to authenticate users securely across networks. Its key features include:
- Mutual Authentication – Both the client and server verify each other’s identities, mitigating risks like adversary-in-the-middle (AitM) attacks.
- Strong Encryption – Kerberos leverages advanced cryptographic algorithms like AES to secure authentication data.
- Efficiency – Unlike NTLM, which requires multiple challenge-response interactions, Kerberos completes authentication in fewer steps, improving performance.
- Centralized Trust – Kerberos operates through a centralized Key Distribution Center (KDC), making it well-suited for domain environments.
These characteristics make Kerberos an ideal replacement for NTLM in modern networks, offering both security and scalability.
Before the Change: NTLM Usage
Before NTLM blocking was introduced, Windows relied on the SPNEGO (Simple and Protected GSSAPI Negotiation Mechanism) protocol to negotiate authentication methods between clients and servers. SPNEGO determined whether to use Kerberos or NTLM, depending on the setup of both endpoints.
While this negotiation often defaulted to Kerberos for Active Directory (AD) domain-joined computers, it sometimes resulted in a downgrade to NTLM. This weakened security, as NTLM is less robust against modern threats compared to Kerberos.
Administrators did have the option to disable NTLM as early as Windows Server 2008, but this required manual configuration and was not widely adopted. Without NTLM blocking enforced by default, networks remained vulnerable to potential exploitation, particularly in environments with legacy devices or non-compliant configurations.
These limitations highlighted the need for stronger, mandatory measures like NTLM blocking to ensure a secure authentication process across all network setups.
After the Change: Secure Defaults
With NTLM blocking enabled, organizations are required to adopt the Kerberos protocol for authentication. Kerberos uses a ticket-based system and robust cryptographic mechanisms to verify identities, ensuring significantly stronger security than NTLM. This shift applies to both clients and servers, raising the overall security baseline for network communications.
While NTLM blocking is strict, administrators can still configure exceptions for specific servers that do not support Kerberos. This provides flexibility for legacy systems while encouraging a gradual transition to modern authentication protocols.
Blocking NTLM does not affect local use cases, such as mapping a drive locally with a local account. It applies to outbound connections, which means authentication will fail:
- When a client uses an IP address instead of a fully-qualified domain name.
- When the CIFS Service Principal Name (SPN) is missing in Active Directory for the SMB server.
- When local user account credentials are used to authenticate with the SMB server.
This comprehensive approach ensures that NTLM usage is limited to specific, controlled scenarios while defaulting to Kerberos for secure authentication. By reducing reliance on NTLM and enforcing stronger security protocols, NTLM blocking plays a critical role in safeguarding modern networks.
Error Handling with NTLM Blocking
When NTLM blocking prevents a connection you expect to work, identifying the root cause is essential. Misinterpreting NTLM blocking errors as unrelated network issues can delay resolution. Follow these steps to troubleshoot effectively:
- Temporarily Disable NTLM Blocking – If you suspect NTLM blocking is the issue, disable it temporarily on the SMB client to confirm. This step helps distinguish between NTLM blocking and other potential problems, such as DNS name resolution errors.
- Switch to Fully-Qualified Domain Names (FQDNs) – NTLM blocking requires secure authentication, and connections using IP addresses often fail because Kerberos does not inherently support them. Replace IP addresses with fully-qualified domain names in connection paths. However, if you must use IP addresses, refer to Configuring Kerberos for IP Address for guidance on proper setup.
- Verify HOST SPN Records – Ensure that the SMB server has its HOST Service Principal Name (SPN) properly registered. Use the following command to check:
>\ setspn -l SMBSERVERNAME
Missing or incorrectly configured SPNs can prevent Kerberos authentication from succeeding.
- Capture and Analyze Network Traffic – When other troubleshooting steps fail, use a network capture tool like Wireshark to inspect messages between the client and server. Look for DNS, SMB2, and Kerberos traffic to pinpoint where the issue occurs.
Authentication Methods: NTLM vs. Kerberos
Kerberos clearly outshines NTLM in terms of security, efficiency, and compatibility with today’s network demands.
| NTLM | Kerberos | |
|---|---|---|
|
Authentication Type |
Challenge-Response |
Ticket-Based |
|
Encryption Algorithms |
Relies on older HMAC-MD5 and MD4 algorithms |
Uses modern, stronger encryption like AES |
|
Mutual Authentication |
No mutual authentication; only server is verified
|
Supports mutual authentication (client and server) |
|
Security Vulnerabilities
|
Prone to AitM and replay attacks
|
Resilient against replay and spoofing attacks |
|
Performance |
Relatively slower; requires multiple round-trips
|
More efficient; fewer round-trips
|
|
Use Case
|
Suitable for legacy systems
|
Preferred for modern domain environments
|
How to Enable NTLM Blocking
Enabling NTLM blocking is straightforward using PowerShell. To configure NTLM blocking on SMB clients, you can use the following commands:
To check the current NTLM blocking status run:
>\ Get-SmbClientConfiguration | FL BlockNTLM
If the result is False, NTLM blocking is not enabled. To enable NTLM blocking globally use the following command:
>\ Set-SmbClientConfiguration -BlockNTLM $true
To enable NTLM blocking for a specific SMB mapping run this:
>\ New-SmbMapping -RemotePath \\server\share -BlockNTLM $true
By configuring NTLM blocking at both global and specific levels, you can tailor security measures to fit your infrastructure needs while enhancing overall protection.
Best Practices When Using NTLM Blocking
- Use Kerberos – Make Kerberos the default protocol in your domain environment.
- Audit NTLM Usage – Identify and address legacy systems or applications still reliant on NTLM.
- Educate Your Team – Ensure all administrators understand NTLM blocking and its impact on legacy workflows.
The Future of Authentication Security
As cyberattacks grow in scale and sophistication, measures like NTLM blocking are essential to safeguard sensitive authentication data. By enforcing secure defaults and encouraging the use of modern protocols, like Kerberos, Microsoft continues to strengthen the security posture of SMB communications.
Visuality Systems’ SMB libraries align with Microsoft’s security measures, supporting features like NTLM blocking, Kerberos authentication, and robust encryption. Our solutions ensure your SMB implementation is secure, reliable, and future-ready.
For more resources and tailored guidance about NTLM blocking and other SMB protocol security features, contact us directly.
Raphael Barki, Head of Marketing, Visuality Systems
