Since making Kerberos the default Windows authentication protocol in 2000, Microsoft has been working on eventually retiring NTLM, its less secure and obsolete counterpart.
Until NTLM gets disabled by default, Microsoft is working on shoring up defenses against NTLM relay attacks.
How do NTLM relay attacks work?
NTLM is a suite of Microsoft protocols that authenticate users and computers based on a challenge/response mechanism between the client (which seeks to be authenticated) and server (which makes sure the the correct user/computer is authenticated).
The response by the client to the server’s challenge involves the use of the hash of the user’s pasword as an encryption key – and it’s that hash of the users’ login credentials that attackers can misuse.
NTLM relay attacks allow attackers to send on the NTLM hash without needing to decrypt it and extract the user’s password.
“Office documents and emails sent through Outlook serve as effective entry points for attackers to exploit NTLM coercion vulnerabilities, given their ability to embed UNC links within them. Recent vulnerabilities involving NTLM and Office applications include CVE-2024-21413, CVE-2023-23397, and CVE-2023-36563,” Microsoft noted.
EPA enabled by default on Windows Server 2025
Microsoft’s efforts to increase users’ and systems’ security have reached another important milestone earlier this month, when the company released Windows Server 2025 with Extended Protection for Authentication (EPA) enabled by default, and channel binding enabled by default for the Lightweight Directory Access Protocol (LDAP).
“Note that the current default setting for EPA in Server 2025 is Enabled – When Supported, to allow clients that do not support channel bindings to omit them. A stronger EPA security setting for enterprises who do not need to support legacy clients is Enabled – Always, and we hope to move the needle further in future versions of Windows,” Microsoft noted.
“Additionally, Administrators on Windows Server 2022 and 2019 can manually enable EPA for AD CS and Channel binding for LDAP. We have enabled auditing support for LDAP to identify machines that do not support channel binding to help IT administrators move towards enabling channel binding by default by upgrading to versions that support channel binding.”
Microsoft has switched on EPA by default for new and existing installs of Exchange Server 2019 earlier this year, and introduced Extended Protection support – as an optional feature, enabled via script – for Exchange Server 2016.