Microsoft has announced plans to disable the outdated and insecure NTLM protocol by default in the next version of Windows Server. However, the exact release date for this update remains uncertain. Currently, NTLM is still prevalent across many Windows systems, and administrators are challenged with managing its associated security risks.
Historical Context
NTLM, an older authentication method, has long been known for its security vulnerabilities. These flaws are frequently exploited by ransomware attackers to access privileged accounts, with NTLMv1 hashes being particularly easy to crack. Attackers can use tools like Rainbow Tables to exploit these weaknesses, leading to successful Pass-The-Hash attacks.
Despite its well-documented drawbacks, Microsoft is cautious in completely abandoning NTLM since many systems rely on it due to factors like a lack of direct access to a Domain Controller necessary for using Kerberos authentication, or local accounts that may still use NTLM. Microsoft has indicated that by the second half of 2026, they aim to address these migration challenges by implementing solutions such as IAKerb and updates to Windows components.
Looking Ahead
With the upcoming major Windows Server version, Microsoft has committed to disabling NTLM by default. However, they have tempered expectations by clarifying that a component of NTLM will still remain in Windows for administrators who may need to reactivate it. Further details regarding this phase-out process have yet to be provided.
IT security professionals should not wait for these changes to mitigate the risks associated with NTLM. Resources like the heise security webinar on "Understanding and Closing Security Gaps in NTLM and Kerberos" can provide crucial insights into effectively managing these vulnerabilities. Additionally, even the successor to NTLM, Kerberos, has its own security concerns that are currently being exploited, necessitating proactive measures for safeguarding Windows networks.