UPDATED 11:27 EDT / OCTOBER 13 2023

SECURITY

It’s time to put an end to the NTLM network authentication protocol

An ancient network authentication protocol has received its first death notice.

The protocol, which has roots going back to the first local area network days of the 1980s, is called Microsoft NTLM, which stands for New Technology LAN Manager. Microsoft Corp.’s Matthew Palko charted its evolution – and hopeful eventual demise — in a blog post earlier this week.

NTLM has a long and storied history, and most of it isn’t good. The protocol has been a go-to for hackers for decades, ever since it first was created.

Actually, its name belies its heritage. Microsoft’s first network server was called LAN Manager, and it was based on the operating system that it co-developed with IBM Corp. called OS/2, released in 1987. Then the two companies got divorced and went their separate ways, IBM sticking with OS/2 for many years while the rest of the world eventually preferred Microsoft’s version, which became Windows NT in 1993. The authentication protocols went through various updates along the way, as Keren Pollack documented in this blog for CalCom, an Israeli security provider.

“Our end goal is eliminating the need to use NTLM at all to help improve the security bar of authentication for all Windows users,” Palko wrote. And that goes to the heart of why it has such staying power, mainly because NTLM has been at the heart of authenticating numerous other non-Microsoft products, such as web server load balancers and using some network proxies. That has made killing off NTLM difficult, and why it has stayed around for so long.

Microsoft has tried to rid itself of NTLM and changed the default setting for its network servers at the turn of the century, when it was replaced it with Kerberos, a more modern and secure protocol. But it still kept NTLM around.

Palko admitted that NTLM will still be a fallback choice for the time being, which means that hackers still have their favorite tools to force their way into a corporate network. He wrote that Microsoft will monitor its use and turn it off once and for all at some time in the future. But don’t hold your breath: This is likely to take years.

NTLM solves one unique problem with authentication — the ability to connect to a Microsoft Domain Controller without a direct local network path, as this blog post by Crowdstrike’s Narendran Vaideeswaran explains.

To drive a stake in NTLM’s heart, Microsoft is proposing a series of extensions to Kerberos, called IAKerb, that can handle this situation. That’s great, but shouldn’t it have come up with this, say, in 2005 or so?

NTLM clearly passed its prime a long time ago. It doesn’t support multifactor or adaptive authentication: A single pass/fail operation means once users are authenticated, they are in forever. Its passwords are so simple that today’s average computer inside a smartwatch (well, almost) can decrypt them in seconds. To make matters worse, they are sent across and stored somewhere on the network, just waiting for some hacker to find and exploit them.

Palko’s blog post has links to tools that network administrators can use to discover and root out NTLM. Vaideeswaran’s post has a number of suggestions on how to monitor and mitigate its use too. And CalCom has its Server Hardening Suite that can report when NTLM is being used and switch over to Kerberos.

Image: Jordan Harrison/Unsplash

A message from John Furrier, co-founder of SiliconANGLE:

Support our open free content by sharing and engaging with our content and community.

Join theCUBE Alumni Trust Network

Where Technology Leaders Connect, Share Intelligence & Create Opportunities

11.4k+  
CUBE Alumni Network
C-level and Technical
Domain Experts
15M+ 
theCUBE
Viewers
Connect with 11,413+ industry leaders from our network of tech and business leaders forming a unique trusted network effect.

SiliconANGLE Media is a recognized leader in digital media innovation serving innovative audiences and brands, bringing together cutting-edge technology, influential content, strategic insights and real-time audience engagement. As the parent company of SiliconANGLE, theCUBE Network, theCUBE Research, CUBE365, theCUBE AI and theCUBE SuperStudios — such as those established in Silicon Valley and the New York Stock Exchange (NYSE) — SiliconANGLE Media operates at the intersection of media, technology, and AI. .

Founded by tech visionaries John Furrier and Dave Vellante, SiliconANGLE Media has built a powerful ecosystem of industry-leading digital media brands, with a reach of 15+ million elite tech professionals. The company’s new, proprietary theCUBE AI Video cloud is breaking ground in audience interaction, leveraging theCUBEai.com neural network to help technology companies make data-driven decisions and stay at the forefront of industry conversations.