It’s time to put an end to the NTLM network authentication protocol
An ancient network authentication protocol has received its first death notice.
The protocol, which has roots going back to the first local area network days of the 1980s, is called Microsoft NTLM, which stands for New Technology LAN Manager. Microsoft Corp.’s Matthew Palko charted its evolution – and hopeful eventual demise — in a blog post earlier this week.
NTLM has a long and storied history, and most of it isn’t good. The protocol has been a go-to for hackers for decades, ever since it first was created.
Actually, its name belies its heritage. Microsoft’s first network server was called LAN Manager, and it was based on the operating system that it co-developed with IBM Corp. called OS/2, released in 1987. Then the two companies got divorced and went their separate ways, IBM sticking with OS/2 for many years while the rest of the world eventually preferred Microsoft’s version, which became Windows NT in 1993. The authentication protocols went through various updates along the way, as Keren Pollack documented in this blog for CalCom, an Israeli security provider.
“Our end goal is eliminating the need to use NTLM at all to help improve the security bar of authentication for all Windows users,” Palko wrote. And that goes to the heart of why it has such staying power, mainly because NTLM has been at the heart of authenticating numerous other non-Microsoft products, such as web server load balancers and using some network proxies. That has made killing off NTLM difficult, and why it has stayed around for so long.
Microsoft has tried to rid itself of NTLM and changed the default setting for its network servers at the turn of the century, when it was replaced it with Kerberos, a more modern and secure protocol. But it still kept NTLM around.
Palko admitted that NTLM will still be a fallback choice for the time being, which means that hackers still have their favorite tools to force their way into a corporate network. He wrote that Microsoft will monitor its use and turn it off once and for all at some time in the future. But don’t hold your breath: This is likely to take years.
NTLM solves one unique problem with authentication — the ability to connect to a Microsoft Domain Controller without a direct local network path, as this blog post by Crowdstrike’s Narendran Vaideeswaran explains.
To drive a stake in NTLM’s heart, Microsoft is proposing a series of extensions to Kerberos, called IAKerb, that can handle this situation. That’s great, but shouldn’t it have come up with this, say, in 2005 or so?
NTLM clearly passed its prime a long time ago. It doesn’t support multifactor or adaptive authentication: A single pass/fail operation means once users are authenticated, they are in forever. Its passwords are so simple that today’s average computer inside a smartwatch (well, almost) can decrypt them in seconds. To make matters worse, they are sent across and stored somewhere on the network, just waiting for some hacker to find and exploit them.
Palko’s blog post has links to tools that network administrators can use to discover and root out NTLM. Vaideeswaran’s post has a number of suggestions on how to monitor and mitigate its use too. And CalCom has its Server Hardening Suite that can report when NTLM is being used and switch over to Kerberos.
Image: Jordan Harrison/Unsplash
A message from John Furrier, co-founder of SiliconANGLE:
Your vote of support is important to us and it helps us keep the content FREE.
One click below supports our mission to provide free, deep, and relevant content.
Join our community on YouTube
Join the community that includes more than 15,000 #CubeAlumni experts, including Amazon.com CEO Andy Jassy, Dell Technologies founder and CEO Michael Dell, Intel CEO Pat Gelsinger, and many more luminaries and experts.
THANK YOU