Microsoft has made an announcement regarding the gradual phasing out of all versions of NTLM (NT LAN Manager).
This decision is part of Microsoft’s ongoing efforts to harden Windows against various security threats and vulnerabilities.
The announcement for deprecated features was made on the official page, indicating that the next Windows and Windows Server release will be the last version where NTLM will be active.
Transition to Negotiate and Kerberos
Microsoft is advising developers to replace NTLM calls with Negotiate calls. The Negotiate security package is designed to select the most secure available protocol, typically Kerberos.
Negotiate will fall back to NTLM only if Kerberos cannot be used due to system constraints or insufficient information the calling application provides.
With ANYRUN You can Analyze any URL, Files & Email for Malicious Activity : Start your Analysis
This transition is expected to be straightforward for most applications, often requiring just a single line change in the AcquireCredentialsHandle call.
NTLM’s deprecation is a response to its numerous security vulnerabilities. NTLM has been a target for various attacks, including pass-the-hash and NTLM relay attacks.
These attacks exploit NTLM’s weaknesses to gain unauthorized access to systems and sensitive information. For instance, the CVE-2023-23397 vulnerability allowed attackers to leak Net-NTLMv2 hashes without user interaction, which could be used for authentication against other systems supporting NTLMv2.
Recommendations for System Administrators
Microsoft urges system administrators and cybersecurity teams to conduct thorough audits of their infrastructure to understand the extent and methods of NTLM usage.
This audit is crucial for transitioning smoothly to more modern and secure authentication methods like Kerberos. Administrators should identify all instances of NTLM use and plan for their replacement with Negotiate calls.
The deprecation process will be gradual, with NTLM continuing to work in the next release of Windows Server and the next annual release of Windows.
However, after November 2026, features like Windows Mixed Reality will no longer receive updates, signaling a broader move towards phasing out older technologies.
This timeline allows organizations to transition their systems and ensure compatibility with future Windows updates.
Microsoft’s decision to deprecate NTLM marks a significant step towards enhancing the security of its operating systems.
By transitioning to Kerberos through the Negotiate package, Microsoft aims to mitigate the risks associated with NTLM and provide a more secure authentication framework for its users.
System administrators and developers are encouraged to begin the transition process promptly to ensure their systems remain secure and compatible with future Windows releases.
Visit the official Microsoft documentation pages for more detailed information on NTLM’s deprecation and the transition to Negotiate and Kerberos.
Looking for Full Data Breach Protection? Try Cynet's All-in-One Cybersecurity Platform for MSPs: Try Free Demo