Security News > 2023 > November > Microsoft Improves Windows Security with a Path to Move Off NTLM

Now Microsoft plans to extend Kerberos in the versions of Windows and Windows Server that will ship in the next two years to help organizations move off NTLM. Here's what will change and how to prepare.

How can I get ready to move off NTLM? Just over half of NTLM usage is for applications that hardcode in using NTLM. If you've done that in your own applications, you'll need to update the application: There aren't any shims or workarounds that Microsoft can do in Windows.

If you find compatibility issues with IAKerb and local KDC in your environment, there will be policies to turn them off or configure which applications, services and individual servers can continue to use NTLM and which you want to block NTLM on.

Tools and settings for blocking NTLM were introduced in Windows 7 and Windows Server 2008 R2 in 2012, but given how widely NTLM is used, few organizations will have been able to remove it entirely.

You can use the Network Security: Restrict NTLM: Audit incoming NTLM traffic security policy to audit your NTLM use - make sure the event viewer logs are large enough because there's probably enough traffic to fill them up more quickly than you expect.

The option to block Windows from allowing NTLM authentication for SMB is also coming to Windows 11, starting with Windows 11 Insider Preview Build 25951, which shipped to the Canary channel this September.

News URL

https://www.techrepublic.com/article/microsoft-improves-windows-security/