Microsoft to Phase Out NTLM in Windows 11 by Late 2024

Microsoft has officially confirmed plans to phase out NT LAN Manager (NTLM) in Windows 11 in the latter half of 2024, announcing a series of new security measures to enhance the operating system’s protection.

The company’s statement emphasized that the retirement of NTLM has long been a desired step by the security community, as it will strengthen user authentication.

The initial decision to replace NTLM with Kerberos for authentication was announced in October 2023. NTLM’s insufficient support for cryptographic methods, such as AES or SHA-256, makes it vulnerable to attacks, particularly NTLM Relay attacks.

Other changes in Windows 11 include enabling Local Security Authority (LSA) protection by default for new consumer devices and utilizing Virtualization-based Security (VBS) to safeguard Windows Hello.

Additionally, Smart App Control, which protects users from running unsigned applications, has been updated. The tool now uses AI to determine the safety of applications and block unknown or malicious programs. Alongside Smart App Control, a new Trusted Signing system has been introduced, allowing developers to sign their applications and streamline the certificate signing process.

Among other significant security enhancements are:

• Win32 application isolation is designed to limit damage in the event of application compromise by creating a security boundary between the application and the operating system.
• Limiting the abuse of administrative privileges by requiring explicit user approval.
• VBS enclaves for third-party developers to create trusted computing environments.
• Windows Protected Print Mode (WPP), introduced in December 2023, will become the default print mode, allowing the Print Spooler to run as a restricted service, significantly reducing its attractiveness to attackers.
• The company also announced it would no longer trust TLS server authentication certificates with RSA keys less than 2048 bits due to advancements in computing power and cryptanalysis.

New security features also include Zero Trust Domain Name System (ZTDNS), which will help commercial clients restrict Windows devices’ access to approved network addresses by domain name.

These improvements are a response to criticism of Microsoft’s security methods, which allowed Chinese hackers to breach Exchange Online. A recent report by the U.S. Cybersecurity Review Board (CSRB) highlighted the need to reassess the company’s security culture.