Microsoft has taken a decisive step in enhancing cybersecurity by announcing the default disabling of the 30-year-old NTLM authentication protocol in forthcoming Windows releases. This move comes in response to the security vulnerabilities inherent in NTLM, which have made organizations susceptible to cyberattacks.
NTLM, or New Technology LAN Manager, was introduced in 1993 alongside Windows NT 3.1, serving as a successor to the earlier LAN Manager (LM) protocol. While Kerberos has since become the standard authentication protocol for domain-connected devices running Windows 2000 and later, NTLM remains a fallback option when Kerberos is unavailable. However, its reliance on weak cryptography has rendered it vulnerable to various forms of attack.
Over the years, NTLM has been exploited in numerous ways, particularly through NTLM relay attacks, where cybercriminals manipulate compromised network devices to authenticate against servers they control. This exploitation can lead to privilege escalation and complete control over Windows domains. Attackers have also leveraged vulnerabilities such as PetitPotam, ShadowCoerce, DFSCoerce, and RemotePotato0 to bypass mitigations against NTLM relay attacks.
Additionally, NTLM has been a target for pass-the-hash attacks, where cybercriminals exploit system vulnerabilities or deploy malicious software to steal NTLM hashes—hashed passwords that allow them to authenticate as compromised users. This capability enables attackers to access sensitive data and move laterally within networks.
“Blocked and no longer used automatically”
In a significant shift towards more secure authentication methods, Microsoft announced on Thursday that NTLM will be disabled by default in the next major Windows Server release and associated Windows client versions. This change is part of a broader initiative aimed at promoting passwordless and phishing-resistant authentication solutions.
To facilitate this transition, Microsoft has outlined a three-phase plan designed to address NTLM-related risks while minimizing disruption for users. In the first phase, administrators will have access to enhanced auditing tools available in Windows 11 24H2 and Windows Server 2025, enabling them to identify where NTLM is still in use.
The second phase, slated for the latter half of 2026, will introduce new features such as IAKerb and a Local Key Distribution Center, which will help mitigate common scenarios that trigger NTLM fallback. Finally, the third phase will see network NTLM disabled by default in future releases, although the protocol will remain in the operating system and can be re-enabled through policy controls if necessary.
Microsoft clarified that disabling NTLM by default does not equate to its complete removal from Windows. Instead, the operating system will be delivered in a secure-by-default state, where network NTLM authentication is blocked and not used automatically. The preference will shift towards modern, more secure Kerberos-based alternatives, while legacy scenarios will be addressed through upcoming capabilities like Local KDC and IAKerb.
Initially announcing plans to retire the NTLM protocol in October 2023, Microsoft has been proactive in encouraging developers to transition to Kerberos or Negotiation authentication to avoid future complications. The company officially deprecated NTLM authentication on Windows and Windows servers in July 2024, advising developers to cease its use in applications. Since 2010, Microsoft has urged Windows administrators to either disable NTLM or configure their servers to block NTLM relay attacks using Active Directory Certificate Services (AD CS).
As organizations prepare for these changes, the focus remains on fostering a more secure digital environment, paving the way for a future where legacy protocols like NTLM are phased out in favor of robust, modern authentication methods.
