Catch up on stories from the past week (and beyond) at the Slashdot story archive

 



Forgot your password?
typodupeerror
×
Microsoft Security Windows

To 'Evolve' Windows Authentication, Microsoft Wants to Eventually Disable NTLM in Windows 11 (neowin.net) 68

An anonymous reader shared this report from Neowin: The various versions of Windows have used Kerberos as its main authentication protocol for over 20 years. However, in certain circumstances, the OS has to use another method, NTLM (NT LAN Manager). Today, Microsoft announced that it is expanding the use of Kerberos, with the plan to eventually ditch the use of NTLM altogether.

In a blog post, Microsoft stated that NTLM continues to be used by some businesses and organizations for Windows authentication because it "doesn't require local network connection to a Domain Controller." It also is "the only protocol supported when using local accounts" and it "works when you don't know who the target server is." Microsoft states:

These benefits have led to some applications and services hardcoding the use of NTLM instead of trying to use other, more modern authentication protocols like Kerberos. Kerberos provides better security guarantees and is more extensible than NTLM, which is why it is now a preferred default protocol in Windows. The problem is that while businesses can turn off NTLM for authentication, those hardwired apps and services could experience issues. That's why Microsoft has added two new authentication features to Kerberos.

Microsoft's blog post calls it "the evolution of Windows authentication," arguing that "As Windows evolves to meet the needs of our ever-changing world, the way we protect users must also evolve to address modern security challenges..." So, "our team is building new features for Windows 11."
  • Initial and Pass Through Authentication Using Kerberos, or IAKerb, "a public extension to the industry standard Kerberos protocol that allows a client without line-of-sight to a Domain Controller to authenticate through a server that does have line-of-sight."
  • A local Key Distribution Center (KDC) for Kerberos, "built on top of the local machine's Security Account Manager so remote authentication of local user accounts can be done using Kerberos."
  • "We are also fixing hard-coded instances of NTLM built into existing Windows components... shifting these components to use the Negotiate protocol so that Kerberos can be used instead of NTLM... NTLM will continue to be available as a fallback to maintain existing compatibility."
  • "We are also introducing improved NTLM auditing and management functionality to give your organization more insight into your NTLM usage and better control for removing it."

"Reducing the use of NTLM will ultimately culminate in it being disabled in Windows 11. We are taking a data-driven approach and monitoring reductions in NTLM usage to determine when it will be safe to disable."


This discussion has been archived. No new comments can be posted.

To 'Evolve' Windows Authentication, Microsoft Wants to Eventually Disable NTLM in Windows 11

Comments Filter:
  • I suspect (Score:5, Insightful)

    by starworks5 ( 139327 ) on Sunday October 15, 2023 @10:07AM (#63926461) Homepage

    that requiring your request signed by someone down chain from the microsoft root cert could in theory be better for security, but it could also be used to implement draconian control over the software ecosystem.

    • It's also never going to fly for a far more pragmatic reason: MSCHAPv2 over PEAP is the de facto standard authentication mechanism for Windows NPS, as well as being a truly Microsoft clusterfuck of gibberish crypto and messaging. They'll never get rid of that, the minute they rip NTLM out a large number of their major corporate customers will go apeshit as their infrastructure stops working.
      • Microsoft added support for things other than PEAP to Windows 10 years ago and they work pretty well.

        And they're not going to "rip out" NTLM. They're moving to make Kerberos the default. NTLM will remain as a backup, possibly for a very long time. LANMAN support is still there if you need it, and it was deprecated over 20 years ago. You just have to turn it on.

        • NTLMv1 is already disabled by default AFAIK since you have to enable it via LmCompatibilityLevel for MSCHAPv2 to work with Windows RAS. I've just re-read TFA and it's not clear what it is they're changing given that this was disabled by default back in Server 2012, see KB 2811487.
    • implement draconian control over the software ecosystem

      All they would have to do for that is make it so you can install Store only apps

  • by FrankSchwab ( 675585 ) on Sunday October 15, 2023 @10:19AM (#63926483) Journal

    I'm not a corporation with IT staff and a DC. I'm just a human with two or three computers in my house. It's gotten more complex over the years to easily network them and share files (Yes, I remember and used WFW). This sounds like the death-knell for my usage.
    Oh, well, I guess people will never really have "personal" computers anymore anyway.

    • by AmiMoJo ( 196126 ) on Sunday October 15, 2023 @10:52AM (#63926525) Homepage Journal

      It's unlikely to have any effect on home networking and file sharing, beyond making some older versions of SAMBA even more incompatible with modern Windows than they already are.

      The main effect will be on corporate customers who have networks built in a way that Microsoft doesn't recommend. A rare example of Microsoft forcing corporate customers to change, when usually they bend over backwards to avoid it, e.g. releasing special Enterprise versions of Windows that suck a lot less than the standard Pro one.

    • What exactly is the difficult part? You install a Domain Controller, and you have your workstations/servers join that domain... the same as you did back with pre-win2k NT that didn't use Active Directory. If that is all you do, almost nothing has changed

      • by vbdasc ( 146051 ) on Sunday October 15, 2023 @11:28AM (#63926585)

        The difficult part? The difficult part is that you need a Windows Server to have a Domain controller. Maybe it's not difficult for you, but it surely is difficult for others. Small networks shouldn't be forced to use a server operating system if all they need is peer-to-peer networking.

        • I can thoroughly sympathize with the OP as I am in this same case. I have 2 or 3 computers that I regularly use and a few computers that work as file servers/storage. There is ONLY 1 USER and I know who that is with absolute certainty.

          The difficult part for most home networks is the added administrivia of running a Domain Controller. And if your home only has 1 user that administrivia becomes maximum absurdity, like killing flies with nuclear bombs.

          FYI - You can setup SAMBA on Linux to be a Domain Controll

          • Unfortunately, I wouldn't recommend SAMBA for this.

            SAMBA doesn't filter Domain SIDs. [samba.org] So don't use it if you need to trust another domain. (Or you'll be giving them full control over yours.)

            SAMBA also doesn't support SYSVOL replication. [samba.org] So if you want more than one domain controller, (failover / backup / etc.), you'll have to manually replicate the changes around. (Which defeats the purpose of having a second DC, as you have to make all of your changes on and sync from a single controller.)

            Granted, it
        • by taustin ( 171655 )

          The difficult part is that you need a Windows Server to have a Domain controller.

          Which probably costs at least as much as the desktop you need to log into.

          But that's the point, really. For Microsoft to force you to spend twice as much money for something you don't have any earthly use for.

          • But that's the point, really. For Microsoft to force you to spend twice as much money for something you don't have any earthly use for.

            Ooo! Like having to buy a new PC to (officially) run Windows 11 when my current PC runs Windows 10 just fine?

            (For the record, I'm not doing that. Will be switching to use my Linux Mint 21 system full time.)

        • It sounds like you're talking about something different to everyone else.

          Either you run a small business with a DC (doesn't need to be Windows, Samba can do this just fine) and you're fine with a simple configuration change. Or you run a small home network and you have to do literally nothing and can keep sharing files the same way you always have, albeit you won't be able to do it with really outdated clients like Windows XP, or Linux machines with very old versions of Samba installed.

          The only thing here b

          • by vbdasc ( 146051 )

            Just because TFS is talking about specifically sharing authentication tokens between a dedicated server and other hosts and clients, confirming your identity on a network, doesn't mean that's the only way these protocols work and doesn't mean you need a dedicated domain controller on the network to use them.

            Well, I'm not the greatest network guru, but AFAIK, in a Windows network, these days you can use either NTLM, or Kerberos for user authentication on the network. If NTLM disappears, then you're left with Kerberos and nothing else. (Correct me if I'm wrong).

            Again AFAIK, Kerberos requires a domain controller, hence Windows Server (or Samba).

            And no, I didn't miss the part where Microsoft promises to introduce "Kerberos (KDC) for local accounts" (whatever it means) sometime in the future. However, experience ha

            • Again AFAIK, Kerberos requires a domain controller, hence Windows Server (or Samba).

              They're adding a KDC to the local systems specifically to allow Kerberos authentication for local accounts. You won't need a domain controller. I suspect that when this happens, you won't even notice the changeover.

            • Cutting existing features in the name of security is easy. Adding working replacements is hard. Even for Microsoft.

              No they are cutting existing features which have already been supplanted with something else. Kerberos is just a protocol. The fact that currently it's linked to domain controllers is not a core requirement of the protocol, all that this protocol requires is a source of trust, and just like NTLM that source of trust can be a local source.

              That is what KDC for local accounts is. Your computer takes the role of the domain controller and performs Kerberos authentication for the accounts already on the system. A

    • I've not really seen that myself. However, I don't like sharing files from desktops. Instead, there are a few ways to do this.

      The first is to consider buy (or build) a NAS. A Synology or QNAP NAS, properly locked down [1] and firewalled can be easily attached to an Active Directory domain or LDAP server. Even without that, one can just create users on the NAS, and share from there. I keep the users doing file sharing separate from the NAS admin accounts and keep 2FA on the NAS admin accounts, for sanit

    • I'm not a corporation with IT staff and a DC. I'm just a human with two or three computers in my house. It's gotten more complex over the years to easily network them and share files (Yes, I remember and used WFW). This sounds like the death-knell for my usage. Oh, well, I guess people will never really have "personal" computers anymore anyway.

      ^ T H I S ^

      I know this exact problem. As Windows has trimmed features from SMB because of security the lovely lapdogs at SAMBA have followed those changes closely, making SAMBA bit by bit more challenging to integrate into a small Windows-Linux 1 to 5 user/computer environment.

      I wish Windows and SAMBA had a "Yes I Really Want To Do This button or toggle to just let users like the OP and myself continue on our happy way with our simple file sharing while the software can still support those that need tyran

      • The irony is that there are three awesome protocols which can do everything SMB/CIFS does and are far lighter weight:

        AFP, which is used on Linux as netatalk. In my experience, I use this over SMB, because it is lighter weight. Of course, it has its shortcomings, but it works well.

        The second is the S3 protocol served over HTTPS. It is brain-deadly simple, and if one uses access keys, it is solidly secure. Having this as a way to share files, where a file share would appear as a bucket, would be useful.

        Of

        • Is there a good, Free, and Open implementation of the S3 protocol, both client and server side, for both Windows and Linux?
          • Client-side, rclone.

            Server-side, MinIO.

            MinIO is licensed under the AGPL 3 and commercial.

            I have nothing to do with MinIO or its development, but I've found it quite a miracle tool. For example, getting hardware, throwing drives into it, adding a load balancer via nginx or HAProxy, and letting it handle RAID across drives and across computers. Or you can use it with one machine and ZFS, and it works well.

            Of course, it supports buckets, object locking, and all the other Amazon niceties. This makes it an ex

            • Thanks! These look promising. I'm still hoping our current setup will work with Kerberos, but if not, I'll look into this further.
              • MinIO can work with LDAP, if that helps things. You can also assign users their own access keys, which is better security, since it separates the user's password from the I/O channel.

      • by AmiMoJo ( 196126 )

        Samba's problems are unrelated to changes in Windows. It's more of an issue with Linux and Windows having fundamental incompatibilities, such as the way Samba has to have a whole parallel user management system since you can't authenticate Linux users on a Windows machine with identically named accounts set up. Samba also has issues with not communicating changes to Windows clients, causing problems with cached data and credentials.

        If you need to share drives on a Linux box with Windows clients, there is no

        • I manage(d?) to do this for many years with Samba on Linux serving up read-only shares to all of the other Linux and a few Windows machines. The basic rule is if you are on my local network you get to see everything, otherwise you see nothing. Not much nuance needed.

          I'm not sure this recent change impacts my setup or not.

      • As Windows has trimmed features from SMB because of security the lovely lapdogs at SAMBA have followed those changes closely, making SAMBA bit by bit more challenging to integrate into a small Windows-Linux 1 to 5 user/computer environment.

        What? That's the place where it's not challenging to integrate at all. The problems crop up when you have multiple domains with multiple DCs. Small networks are where SAMBA works great as a DC. I have samba installed on my Linux system so that it can act as a DC to my VMs. It works flawlessly and I can even manage SAMBA as a DC using the tools on the Windows systems.

    • by Isaac-Lew ( 623 )
      There are plenty of options for file sharing. Samba supports Kerberos, & there are personal cloud solutions such as Nextcloud.
    • by Torodung ( 31985 )

      Don't you know what you're supposed to do? Stick all your files into OneDrive and share the folder. Done, says Microsoft. Nevermind that it adds a required connection to the Internet and a subscription, and kills the local upload and download speeds of a 1 gigbit LAN. It's good enough for a consumer.

      They have also stopped maintaining File History, and are leaning heavy into replacing it with OneDrive. So there goes local version control out the window. Users have been unable to trim their File History direc

  • by fishscene ( 3662081 ) on Sunday October 15, 2023 @10:28AM (#63926493)

    The article dances around how it affects creating and using local accounts. If Microsoft is trying to kill local accounts, they can take a hike. I will never. Ever. Ever. Not create local accounts. No compromising, no negotiations. No quarter. End of story.

    • No compromising, no negotiations. No quarter. End of story.

      Then I recommend Kubuntu, as your Windows days are coming to an end.

      • I'd more likely recommend Debian + KDE or XFCE4.

        Ubuntu forces you into Snaps which are effectively proprietary. (Yes, I know there are ways around that, but I also know they suck.)

        We learned from the whole Red Hat fiasco that commercial entities, no matter how initially well-intentioned, tend to make very poor stewards of the blood, sweat and tears of the Free and Open Source community.

        Hence, IMO, I can't really recommend anything for the long term besides Debian or some other non-commercial distro. Altho

    • If Microsoft is trying to kill local accounts, they can take a hike
       
      It is never going to happen. It might for crap like Windows Home Edition, but you need to consider that enterprise deployments is where a bulk of installations happen and there is no way that those orgs will put up with that kind of control (or rather, lack thereof).

      • by PPH ( 736903 )

        Enterprises will most likely run their own KDC. On whatever platform and with a configuration that suits them. Home users will undoubtedly submit to the Microsoft account/key management system out of ignorance and/or frustration. After all, it's only a few bucks a month to be assimilated into the collective.

        Until someone brings a cheap rPi-based plug and play controller to the market.

        • How do you get into the PC if there is no network connection or its down?

          • by tepples ( 727027 )

            You use your iPhone or Android phone to troubleshoot the network gateway through the gateway's web interface.

            • You use your iPhone or Android phone to troubleshoot the network gateway through the gateway's web interface.

              And that's supposed to be simpler than using a local account to log into the machine and diagnose the issue?

          • LAPS, or some variant of that, most likely.

          • by PPH ( 736903 )

            Boot into safe mode?

          • by taustin ( 171655 )

            I dunno, but I'll get it involves paying Microsoft even more money.

        • by taustin ( 171655 )

          Enterprises will most likely run their own KDC.

          The more users you have, the more you really need to be using domain controllers and group policies to manage things.

        • Either run their own KDC or have an Entra tenant and have machines connect to that.

    • by Voyager529 ( 1363959 ) <voyager529@@@yahoo...com> on Sunday October 15, 2023 @10:57AM (#63926539)

      The article dances around how it affects creating and using local accounts. If Microsoft is trying to kill local accounts, they can take a hike.

      I wonder about this myself. It's pretty clear that MS has had it out for local accounts for quite a while now; my hope was that it'd be sidelined, but not killed. I'd be fine with a local account that couldn't share files (doing all the file sharing on a NAS is easy and inexpensive enough), but to your point, I'm also on the team of local accounts only.

      If MS really turns Windows into a Chromebook, I'm really unsure how things will go moving forward. At the very least, I could see some actual action against MS if they make this change on Windows 12 and then auto-update, thus making it impossible to proceed with the forced update without converting to a Microsoft account...that strikes me as the sort of change that's going to cause legal action; my hope is that the legal department at least prevents that particular chain of events.

      I share your concern and unwillingness to use a Microsoft account. If I embrace my inner pragmatist, however, I wonder if I'll really be willing to leave all my Windows software behind to move to Linux. Like most Windows users, that's the big reason I haven't moved already.

      • If you still need particular Windows software... install Linux, install VirtualBox, install an older version of Windows into VirtualBox, then limit its network connections to your local network only.

        Of course if that "Windows software" is somethng that has a phone-home requirement just to use it (looking at you, Adobe) - that's not gonna work.

        • If you still need particular Windows software... install Linux, install VirtualBox, install an older version of Windows into VirtualBox, then limit its network connections to your local network only.

          I hear this a lot...and while Linux is getting closer in general, I keep running into 'jank'.

          To directly answer this particular recommendation, the problem with this advice is that there are issues with low latency USB needs. If I put a USB audio device in passthrough, it adds latency. Plus, I have all the fun of dealing with Virtualbox AND old versions of Windows that still get a full desktop environment, which means I need to basically double my RAM so each OS can get half AND I have to deal with CPU/GPU

        • NOT VirtualBox. Because Oracle.

          There are many better VM options, and, while many are also proprietary, I do not know of any company I would less rather have to deal with, in any capacity, than Oracle.

          They will claim that it is free and open-source, but they don't mention that it is also completely unusable without the VirtualBox Guest Extensions, which it will encourage you to download and install.

          Once you do, all your money are belong to Oracle. :(

      • I wonder if I'll really be willing to leave all my Windows software behind to move to Linux. Like most Windows users, that's the big reason I haven't moved already.

        DO NOT Dual boot, acquire a new PC and boot only to Linux, rdp to the old machine to visit Windows apps. After a couple of months Linux will grow on you, Windows will only irritate you.

        • by Isaac-Lew ( 623 )
          I've been running a Windows vm on my Linux box for at least 10 years. Unless you're playing games or are running some very unusual software, it's an option.
          • Even for games it's an option, albeit possibly not the best.

            You can go about it two ways, one of them is playing older games on vmware which has superior 3d acceleration to all other virtualization solutions, many of them Just Work (tm). The other is to use KVM/QEMU with GPU passthru. This necessitates either having multiple GPUs, or exiting X while using the VM, and results in the highest level of compatibility and support.

          • I do a lot of audio creation and processing, so that wouldn't be an ideal scenario for me.

            Fortunately, all the software I need runs at least as well in Linux as it would on Windows. With one exception: 32-bit VSTs, which typically require WINE, which, on my heavily customized Gentoo setup, does not work particularly well. Hence, these tend to be hit or miss. It's not a huge problem anymore, but still an occasional annoyance.

            I use remote desktop and/or TeamViewer to access work machines (mostly Windows)

      • by taustin ( 171655 )

        At the very least, I could see some actual action against MS if they make this change on Windows 12 and then auto-update, thus making it impossible to proceed with the forced update without converting to a Microsoft account...that strikes me as the sort of change that's going to cause legal action; my hope is that the legal department at least prevents that particular chain of events.

        The implications for anyone who has to deal with PCI or HIPAA compliance are horrifying.

    • TFS sort of addresses that where it says "A local Key Distribution Center (KDC) for Kerberos, "built on top of the local machine's Security Account Manager so remote authentication of local user accounts can be done using Kerberos." That will work for local authentication, too.

      What I wonder is why they don't just make every machine an AD server for itself instead of inventing new stuff. They could make it only work on loopback devices if they wanted to prevent you from using it for anything nonlocal. They'v

      • by HBI ( 10338492 )

        https://www.microsoft.com/en-u... [microsoft.com]

        Poach their own business? Not likely.

        • They are in control of the software, they can place limitations on it as they see fit. So you wouldn't be able to use the AD server that was in every Windows for anything other than local authentication. They could even take TCP/IP out of it and use only some other mechanism in place of NTLM.

          • by HBI ( 10338492 )

            Certainly they could. They would rather push everyone to cloud auth by arguing it's superior by nature, hence why they are rebranding it. Azure AD was very honest. The current naming is less so, implying it is a different product, part of their overall thrust of devaluing all on-premise solutions. The desktop to them is just a way to sell cloud services.

            • Azure AD was honest ? It literally has nothing to do with Active Directory. It provides no directory service, no LDAP access, no DNS and Kerberos integration. It was the worst named product Microsoft had. So much so when the time came to providing an actual Cloud based domain controller infrastructure, they had to call it Azure AD DS. Which has nothing to do with Azure AD. Renaming Azure AD is good. Itâ(TM)s not AD and should never have been called AD.
              • by HBI ( 10338492 )

                It provided authentication and an interface for IDAM. That was the point.

              • no LDAP access

                Hahahahahahaha. This!? This is what tribbled your giblets!? Not being able to spam plain-text credentials over the LAN?!? Really?!

                Entra ID works perfectly fine, providing MFA wrapper for AD resources with minimal effort. Managed identities are awesome. Aligned with Sentinel, you have full visibility of who's doing what in a singel pane. But let's keep whining about LDAP - the *worst* thing about AD aside from NTLM... the most attacked internal auth protocol known to the lizzard overlrods

  • Isn't that what updates to a major version are supposed to be about? Seeing as how this appears to be a major change to the Windows ecosystem, how about making this Windows 12?
  • I need another minute in here, I'm still evolving.

  • Microsoft seems to be incapable of ever implementing a secure authentication system. Their vision of security in Kerberos is tunneling authentication over a secure channel because otherwise users credentials are exposed to offline compromise.

  • Having gone through multiple exercises aimed at retiring NTLM, the sheer reach and volume of issues it creates is just mind-blowing.

    Within a hair's breadth of losing the domain once, we decided that it's for the next generation to tackle. Because fark that noise. Pro-tip. Not all NTLM auths are audtible. Good luck, folks. Bring some smores

  • That can connect to a network share and upload their clips where motion was detected. But I have to run samba on my windows server (in a vm) with the dumbest settings because they don't know how to use anything else.

  • Will this cause issues in a mixed Linux/Windows/Samba environment (modern-ish Linux, but Windows versions varying from 8 to 10)?

"How do I love thee? My accumulator overflows."

Working...