After decades on life support, Microsoft is finally flipping the kill switch for NTLM (New Technology LAN Manager), a built-in authentication system. Hackers favor NTLM for its weak security and vulnerability to relay attacks.
Microsoft announced that the NTLM will be disabled by default in future Windows versions, yet no exact date was given.
In the next major Windows Server release and associated Windows client releases, network NTLM will be disabled by default, and its usage will require explicit re-enablement.
“Disabling NTLM by default does not mean completely removing NTLM from Windows yet. Instead, it means that Windows will be delivered in a secure-by-default state where network NTLM authentication is blocked and no longer used automatically,” the tech giant announced in its IT Pro Blog.
While largely replaced by more modern solutions like Kerberos, the deprecated protocol NTLM has remained part of Windows authentication for more than three decades. It uses challenge-response verification for access to network resources, most often as a fallback when Kerberos is unavailable.
And hackers love it as it allows authentication without ever knowing or cracking a user’s password.
Attackers positioned as man-in-the-middle have been using the so-called NTLM relay attack to capture the NTLM challenge-response exchange and present the stolen handshake to the Domain Controller, which then authenticates the attacker as the victim and grants the corresponding access rights.
Curious what others think about this story? Contribute your thoughts to the debate below.
Google security researchers also recently demonstrated how easy it is to crack this login system. Publicly released Net-NTLMv1 rainbow tables can be used to recover keys in hours using consumer hardware.
“This legacy protocol leaves organizations vulnerable to trivial credential theft, yet it remains prevalent due to inertia and a lack of demonstrated immediate risk,” Nic Losby, a Principal Red Team Consultant at Mandiant, said previously.
A stream of zero-day vulnerabilities is yet another way of giving attackers tools to steal NTLM credentials with little to no user interaction, prompting unofficial patches.
Microsoft itself acknowledges that the use of this deprecated protocol exposes organizations to even more risks: no server authentication, vulnerability to replay, relay, and pass-the-hash attacks, weak cryptography, and limited visibility.
What’s changing?
Microsoft presented a three-phase roadmap, introducing new tools and support before disabling NTLM completely.
As of today, organizations have access to enhanced NTLM auditing to understand remaining uses of NTLM in their environments. These enhancements were introduced in Windows 11 version 24 H2, Windows Server 2025, and later.
In the second phase, starting in the second half of 2026, three additional solutions, addressing major pain points, will become available:
- IAKerb and local Key Distribution Center (KDC) will allow Kerberos authentication to succeed in scenarios where domain controller (DC) connectivity previously forced NTLM fallback.
- Local KDC will help ensure that local account authentication no longer forces NTLM fallback on modern systems.
- Core Windows components will be upgraded to negotiate Kerberos first, reducing instances of NTLM usage.
In the third stage, at some point in the future, NTLM will be disabled by default. To reduce application breakage, support for handling NTLM-only cases will remain built-in.
“NTLM will remain present in the OS and can be explicitly re-enabled via policy if you still need it. This approach balances meaningful security improvements while maintaining a supported and phased transition as you move away from NTLM,” Microsoft said.
Tech giant urges organizations to deploy enhanced NTLM usage auditing, map dependencies, migrate critical workloads to Kerberos, and otherwise prepare for eventual NTLM removal.
Unlock more exclusive Cybernews content on YouTube.
Your email address will not be published. Required fields are markedmarked