Microsoft Phasing Out NTLM in Favor of Kerberos for Enhanced Authentication and Security in Windows 11
- 2023年10月17日
- 技術情報
Microsoft has revealed its plan to phase out NT LAN Manager (NTLM) authentication in Windows 11 to enhance security and focus on bolstering the Kerberos authentication protocol. This move includes the introduction of features like Initial and Pass Through Authentication Using Kerberos (IAKerb) and a local Key Distribution Center (KDC) for Kerberos in Windows 11.
NTLM, a security protocol from the 1990s, was originally designed for user authentication, integrity, and confidentiality. However, it has been replaced by Kerberos since Windows 2000, though it continues to be used as a fallback option. NTLM relies on a three-way handshake for user authentication and uses password hashing, while Kerberos employs a two-part process with encryption.
NTLM has been found to have inherent security weaknesses and is vulnerable to relay attacks, which could potentially allow unauthorized access to network resources.
Microsoft is actively working to address hard-coded NTLM instances in its components as part of its preparation to disable NTLM in Windows 11. These changes will be enabled by default, with no need for additional configuration in most scenarios. NTLM will still be available as a fallback for maintaining compatibility with existing systems.
Asahi
waithaw at 2023年10月17日 10:00:00