The ongoing migration from NTLM to Kerberos authentication marks a significant transformation in the security landscape for Windows systems. However, this transition is not without its challenges and potential costs. Legacy systems, hardcoded authentication, and embedded devices such as HVAC controllers can complicate the process, as can hidden fallback configurations that require careful identification and remediation.
What’s involved in migration?
Before the deactivation of NTLM can take place, Managed Service Providers (MSPs) and IT teams must first identify its usage across their networks. This investigative phase is bolstered by enhanced auditing features, although it can be time-consuming, particularly if NTLM is only active during specific events or periods.
Once identified, any systems utilizing NTLM must undergo testing with NTLM disabled. This testing phase may involve creating dedicated environments, configuring Kerberos authentication, and collaborating with end-users to ensure that functionality remains intact.
Following successful testing, the migration from NTLM to Kerberos can be executed through group policy adjustments or may necessitate upgrades and code modifications. Coordination with various vendors and support teams will likely be essential, and organizations should be prepared for unforeseen delays that could extend the project timeline.
As with any IT initiative, a period of monitoring and communication is critical to identify and address any unexpected impacts on users. This phase also provides an opportunity to document new procedures and policies, as well as to train personnel who may need to troubleshoot issues as they arise.
Post-migration, ongoing monitoring is vital to ensure that NTLM does not re-enter the network, safeguarding the integrity of the new authentication framework.
NTLM is a security risk
NTLM poses significant security vulnerabilities, having been exploited by numerous threat groups including Volt Typhoon, Scattered Spider, Wizard Spider, and Dragonfly. The hash-based authentication model associated with NTLM serves as a catalyst for attacks that can lead to ransomware incidents or advanced persistent threat (APT) intrusions. Despite this, Microsoft has noted that NTLM remains prevalent in enterprise environments, often due to legacy dependencies, network limitations, or entrenched application logic. It is imperative for organizations to actively work towards eliminating these NTLM dependencies.
While companies may hesitate to invest in an NTLM migration project—especially after recent investments in new Windows 11 machines—communicating the risks associated with NTLM to a non-technical audience can be challenging. Nevertheless, business leaders typically grasp the ramifications of a ransomware attack. Transitioning to Kerberos authentication represents a strategic security investment with long-term advantages, making it a priority that should be addressed without delay.
