Apart from the dearth of password safety, NTLM has a number of different behaviors that make it a hacker’s paradise. First, it doesn’t require any native connection to a Home windows Area. Additionally, it’s wanted when utilizing a neighborhood account and while you don’t know who the supposed goal server is. On prime of those weaknesses, it was invented so way back — certainly earlier than Lively Listing was even thought-about — that it doesn’t help fashionable cryptographic strategies, making its easy unsalted hashing system trivially straightforward to interrupt and decode.
Kerberos versus NTLM
These fashionable strategies are fortunately a part of the Kerberos protocols, which is what Microsoft has been attempting to interchange NTLM with over the previous a number of years. Since Home windows Server 2000, it has been the default alternative for authentication. “NTLM depends on a three-way handshake between the consumer and server to authenticate a consumer,” wrote Crowdstrike’s Narendran Vaideeswaran in a blog in April 2023. “Kerberos makes use of a two-part course of that leverages a ticket granting service or key distribution middle.” That ticketing course of signifies that Kerberos is safe by design, one thing that by no means may very well be claimed for NTLM.
One of many causes for NTLM’s enduring reign is that it was straightforward to implement. It is because when Kerberos (or one thing else) didn’t work correctly, NTLM was the fallback alternative, which suggests if a consumer or an app tries to authenticate with Kerberos and fails, it mechanically (most often) tries to make use of NTLM protocols. “For instance, if in case you have workgroups with native consumer accounts, the place the consumer is authenticated straight by the applying server, Kerberos received’t work,” wrote TechRepublic. Microsoft has mentioned that native customers nonetheless make up a 3rd of NTLM utilization, one of many the explanation why Microsoft needs to keep up its older techniques. One other ache level is the protocol used to implement Distant Desktop Providers, which might usually fallback to NTLM. Nevertheless, “Microsoft helps legacy safety configurations long gone their expiration dates,” writes Adrian Amos in a blog put up from November 2023.