The evolution of Windows authentication

As Windows evolves to meet the needs of our ever-changing world, the way we protect users must also evolve to address modern security challenges. A foundational pillar of Windows security is user authentication.

Windows 11 is introducing new features to strengthen user authentication and reduce the usage of NT LAN Manager (NTLM). These features include Initial and Pass Through Authentication Using Kerberos (IAKerb) and a local Key Distribution Center (KDC) for Kerberos. NTLM has been popular in the past due to its ability to authenticate without a local network connection to a Domain Controller, its support for local accounts, and its ability to authenticate without knowing the target server. However, Kerberos provides better security guarantees and is more extensible, so it is now the preferred default protocol in Windows.

Organizations can turn off NTLM, but this may cause issues with applications that hard-coded NTLM use. To address this, IAKerb allows clients to authenticate with Kerberos in more diverse network topologies, and the local KDC for Kerberos adds Kerberos support to local accounts. IAKerb works through the Negotiate authentication extension and allows the Windows authentication stack to proxy Kerberos messages through the server on behalf of the client. The local KDC for Kerberos is built on top of the local machine’s Security Account Manager so remote authentication of local user accounts can be done using Kerberos.

In addition to expanding Kerberos scenario coverage, Windows 11 is also fixing hard-coded instances of NTLM built into existing Windows components. These components are being shifted to use the Negotiate protocol so that Kerberos can be used instead of NTLM. To improve the management of NTLM, Windows 11 is extending NTLM management controls to provide administrators with greater flexibility in how they track and block NTLM usage in their environments.

Organizations should start cataloging their NTLM use and audit code for hardcoded usage of NTLM. They can also register for the upcoming webinar, “The Evolution of Windows Authentication”, on October 24th, 2023, at 8:00 am Pacific Time. The ultimate disablement and removal of NTLM will be data-driven and customers will be able to use the enhanced controls to reenable NTLM for compatibility reasons.

Overall, Windows 11 is introducing new features to strengthen user authentication and reduce the usage of NTLM. Organizations should start preparing for these changes by cataloging their NTLM use and auditing code for hardcoded usage of NTLM. They can also register

📓 The evolution of Windows authentication

👉🏽 As Windows evolves to meet the needs of our ever-changing world, the way we protect users must also evolve to address modern security challenges. A foundational pillar of Windows security is user authentication. 👉🏽 Windows 11 is introducing new features to strengthen user authentication. 👉🏽 The aim is to reduce the usage of NT LAN Manager (NTLM). 👉🏽 Initial and Pass Through Authentication Using Kerberos (IAKerb) is being introduced. 👉🏽 A local Key Distribution Center (KDC) for Kerberos will be available. 👉🏽 Kerberos is preferred over NTLM due to better security guarantees and extensibility. 👉🏽 Turning off NTLM may cause issues with applications that rely on it. 👉🏽 IAKerb allows clients to authenticate with Kerberos in diverse network topologies. 👉🏽 The local KDC for Kerberos adds Kerberos support to local accounts. 👉🏽 Windows 11 is fixing hard-coded instances of NTLM in existing Windows components. 👉🏽 Enhanced controls are available for administrators to track and block NTLM usage.

🔗 source link: https://techcommunity.microsoft.com/t5/windows-it-pro-blog/the-evolution-of-windows-authentication/ba-p/3926848

🔗 summarized content: https://hut.threathunterz.com/battlefield-intel/articles-and-reports/the-evolution-of-windows-authentication

#Windows11 #UserAuthentication #NTLM #Kerberos #EnhancedControls