Why NTLM Is a Security Liability
Since its introduction, NTLM has been a frequent target for attackers. Common exploit techniques include:
- NTLM relay attacks (e.g., PetitPotam, ShadowCoerce, DFSCoerce, RemotePotato0) that let threat actors hijack authentication flows.
- Pass‑the‑hash attacks that steal NTLM password hashes and reuse them to move laterally.
These weaknesses allow adversaries to gain domain‑wide privileges, exfiltrate data, and maintain persistent access.
Microsoft’s Decision to Retire NTLM
In a push toward passwordless, phishing‑resistant authentication, Microsoft announced that future Windows Server and client releases will disable network NTLM by default. The protocol will remain in the OS for backward compatibility but must be explicitly re‑enabled via policy.
Three‑Phase Transition Plan
Phase 1 – Visibility and Auditing (Windows 11 24H2 & Server 2025)
Admins gain access to enhanced auditing tools that surface every NTLM usage point.
- Audit logs show which services, applications, or legacy devices still rely on NTLM.
- Reporting dashboards help prioritize remediation.
Phase 2 – Mitigation Features (Late 2026)
New capabilities address the most common fallback scenarios.
- IAKerb – an interim Kerberos extension that automatically negotiates Kerberos when possible.
- Local KDC (Key Distribution Center) – provides Kerberos tickets for local‑only resources that previously forced NTLM.
Phase 3 – Default NTLM Disablement
Network‑level NTLM authentication is turned off out‑of‑the‑box. Organizations can still enable it via Group Policy, but the default stance favors Kerberos‑based methods.
What Administrators Should Do Now
- Deploy the Phase 1 auditing tools and generate an inventory of NTLM dependencies.
- Prioritize migration of legacy applications to Kerberos or modern authentication APIs.
- Configure Active Directory Certificate Services (AD CS) to block NTLM relay where possible.
- Implement strict “deny NTLM” policies for high‑risk accounts (e.g., domain admins).
Preparing for a Passwordless Future
Beyond NTLM removal, Microsoft encourages the adoption of passwordless solutions such as Windows Hello for Business, FIDO2 security keys, and Azure AD Conditional Access. These methods provide stronger phishing resistance and simplify credential management.
Conclusion
Disabling NTLM by default marks a decisive move away from a protocol that has long been a security liability. By following the three‑phase rollout, auditing existing usage, and transitioning to Kerberos or passwordless authentication, organizations can dramatically reduce the attack surface and align with Microsoft’s modern security roadmap.