Microsoft recently announced that the NTLM authentication protocol will be no longer be available in the new Windows 11 update. A new authentication will take place as the new default protocol for domain-connected devices above Windows 2000. If your device is above Windows 2000, then your device will be affected by this new protocol update, therefore users who use Windows 2000 and below will not be affected.
Summary
Windows plans to disable NTLM authentication in Windows 11, for Kerberos authentication, the more secure of the two methods. For attackers targeting a companies internal network, the use of NTLM authentication provides a large number of methods for an attacker to laterally move and elevate privileges in the network.
Two new features of Kerberos authentication will be introduced as the new security standard for internal networks. While NTLM will still be available for legacy/compatibility reasons, the use of Kerberos by default should limit a lot of the attack paths already familiar to attackers.
How will this affect hackers?
Hackers will have to adjust and start researching Kerberos attacks and NTLM based attacks - attacks that have to do with hashes. This has been the standard for over a decade when hunting for privesc/lateral movement opportunities. Some paths exist with kerberos today, but way less.
What should I do next?
No migration is required and NTLM/Kerberos will determine how windows systems and services authenticate to each other within an internal network. Two new features of Kerberos are being introduced as a simple comms protocol changing versus migrating to new networks and technologies.
While no action is required for this new Windows update, users can expect this update to be more efficient and not require configuration in most cases. Visit this article for information on the Windows 11 authentication protocol update.
Comments