Microsoft has announced its long-term plan for Windows, which aims to reduce remote login through the outdated NT LAN Manager (NTLM) protocol, which has been used since the Windows NT era. They propose replacing NTLM with a newer protocol, Kerberos.
NTLM is an old protocol that has been widely used for its simplicity, but it is considered outdated by current standards. It lacks many security features and expandability options. In contrast, Kerberos is a popular protocol in the Unix world and has been supported by Microsoft since Windows 2000. It has been the default method for remote login. However, Kerberos still lacks features that are present in NTLM, such as the ability to use remote login with local accounts and login without direct visibility of the Domain Controller (line-of-sight).
Both of these issues have been addressed in Windows 11, which has introduced features such as KDC support for remote login with local accounts and IAKerb, an extension to Kerberos that solves the Domain Controller issue.
With the introduction of these Kerberos features in Windows 11, Microsoft no longer needs to maintain NTLM. Therefore, Microsoft has given a warning that they will eventually disable NTLM, although they have not specified a timeline. They will base this decision on usage statistics. They recommend that organizations and software providers who still rely on NTLM prepare themselves for this transition gradually.
TLDR: Microsoft plans to replace the outdated NTLM protocol with Kerberos in Windows to enhance security and expandability. Windows 11 has introduced features that solve the limitations of Kerberos, making NTLM unnecessary. While Microsoft has not given a specific timeline, they advise organizations and software providers to prepare for the eventual phasing out of NTLM.
Leave a Comment