Microsoft is pushing for more secure Windows authentication with new features for Kerberos that would eventually eliminate the use of the New Technology LAN Manager (NTLM) protocol. NTLM is meant to provide authentication, integrity, and confidentiality, however, it is prone to relay attacks and passwords can be brute-forced easily using modern hardware, making the protocol weak.

Kerberos, which builds on symmetric-key cryptography and provides better security guarantees compared to NTLM, has been the default Windows authentication protocol since Windows 2000. However, Microsoft is still using both NTLM and Kerberos because the latter cannot be used in certain scenarios, leading to the operating system falling back to the former. Now, Microsoft says it is working on two new features for Kerberos to cover these scenarios and eliminate the need to use NTLM, thus improving “the security bar of authentication for all Windows users”.

Read more: https://www.securityweek.com/microsoft-improving-windows-authentication-disabling-ntlm/