Microsoft's Push Towards Kerberos in Windows 11
No attachments for this post
Microsoft prioritizes security in its Windows platform, given that it caters to over a billion users worldwide. A notable shift was announced over a year ago with the decision to phase out Server Message Block version 1 (SMB1) in Windows 11 Home. Furthering this security-focused progression, Microsoft is now looking to reduce reliance on NT LAN Manager (NTLM) user authentication, pivoting towards the more secure Kerberos.
Despite Kerberos being Windows' default authentication protocol for over two decades, its limitations have often necessitated fallback to NTLM. Addressing these issues, Microsoft is now introducing innovative fallbacks in Windows 11, namely Initial and Pass Through Authentication Using Kerberos (IAKerb) and a local Key Distribution Center (KDC) for Kerberos.
The continued popularity of NTLM arises from its benefits, such as not mandating a local network link to a Domain Controller (DC) or knowing the server's identity. Developers, opting for convenience, often embed NTLM into applications, bypassing the more secure Kerberos. This engrained use of NTLM means many entities can't easily abandon the older protocol.
To bolster Kerberos' appeal, Microsoft is enhancing Windows 11 with features that make this contemporary protocol more versatile for various applications:
IAKerb is a public addition allowing authentication with a DC through a server with direct access. By proxying Kerberos requests, client applications aren't tied to the DC, and messages remain encrypted and secure, making IAKerb ideal for distant authentication contexts.
A local KDC for Kerberos facilitates local account support. It leverages IAKerb and the local Security Account Manager (SAM), enabling communication between distant local machines without relying on DNS or DCLocator and without opening new ports. Notably, the communication remains encrypted via the Advanced Encryption Standard (AES).
In upcoming phases, Microsoft aims to revise Windows components that exclusively use NTLM. The goal is to incorporate the Negotiate protocol, utilizing IAKerb and the local KDC for Kerberos, though NTLM will be retained as a backup. Simultaneously, Microsoft is enhancing NTLM management controls, providing enterprises with clearer insights into NTLM usage and enabling more specific protocol disablement.
The ultimate objective is disabling NTLM by default in Windows 11, conditional on supportive telemetry data. Meanwhile, Microsoft advises businesses to supervise their NTLM usage, audit legacy protocol applications, and stay updated on further announcements from the tech giant.
Comments on this post
No comments have been added for this post.
You must be logged in to make a comment.