Security News > 2023 > November > Microsoft Improves Windows Security with a Path to Move Off NTLM
Now Microsoft plans to extend Kerberos in the versions of Windows and Windows Server that will ship in the next two years to help organizations move off NTLM. Here's what will change and how to prepare.
How can I get ready to move off NTLM? Just over half of NTLM usage is for applications that hardcode in using NTLM. If you've done that in your own applications, you'll need to update the application: There aren't any shims or workarounds that Microsoft can do in Windows.
If you find compatibility issues with IAKerb and local KDC in your environment, there will be policies to turn them off or configure which applications, services and individual servers can continue to use NTLM and which you want to block NTLM on.
Tools and settings for blocking NTLM were introduced in Windows 7 and Windows Server 2008 R2 in 2012, but given how widely NTLM is used, few organizations will have been able to remove it entirely.
You can use the Network Security: Restrict NTLM: Audit incoming NTLM traffic security policy to audit your NTLM use - make sure the event viewer logs are large enough because there's probably enough traffic to fill them up more quickly than you expect.
The option to block Windows from allowing NTLM authentication for SMB is also coming to Windows 11, starting with Windows 11 Insider Preview Build 25951, which shipped to the Canary channel this September.
News URL
https://www.techrepublic.com/article/microsoft-improves-windows-security/
Related news
- Microsoft confirms memory leak in March Windows Server security update (source)
- Microsoft: April Windows Server updates cause NTLM auth failures (source)
- Microsoft says Windows 10 21H2 support is ending in June (source)
- March 2024 Patch Tuesday: Microsoft fixes critical bugs in Windows Hyper-V (source)
- Microsoft Copilot for Security prepares for April liftoff (source)
- Microsoft’s Security Copilot Enters General Availability (source)
- Microsoft again bothers Chrome users with Bing popup ads in Windows (source)
- Microsoft announces deprecation of 1024-bit RSA keys in Windows (source)
- Microsoft confirms Windows Server issue behind domain controller crashes (source)
- Microsoft releases emergency fix for Windows Server crashes (source)