Microsoft has earlier stated that they are going to deprecate the authentication protocol NTLM (NT Lan Manager) which also gives an indication of how old this protocol is! (even if Kerberos has been the default authentication protocol since 2000) and of course NTLM has unfortunately been (ab)used numerous times in different cyberattacks with techniques such as Pass-the-hash attacks and NTLM Relay Attacks.
However NTLM is use in many different places (but you might not know it!)
1. When a Windows-based host is accessed using its IP address or a CNAME instead of its short name or fully-qualified domain name (FQDN).
2. When addressing a workgroup-joined Windows-based host.
3. When a domain-joined Windows host is accessed using a local account instead of a domain account.
4. When a domain-joined host in a different Active Directory forest is addressed and the forest trust is based on a legacy NTLM trust.
5. When a domain-joined Windows host is accessed over a filtered network connection that permits NTLM but blocks Kerberos traffic.
6. By default, when a domain-joined fail-over cluster node is accessed and the host is running Windows Server 2016 or an earlier version.
7. When an application or service is accessed from the local host.
8. When a SQL Server database on a domain-joined Windows host is accessed through named pipes.
9. When a service on a domain-joined host has incorrect or missing Service Principal Names (SPNs) for the domain account running the service.
10. When an application or service on a domain-joined Windows host is configured to use the NTLM security package instead of the Negotiate security package. Negotiate defaults to Kerberos but falls back to NTLM if any of the above scenarios apply.
11: Many printers (especially after Print Nightmare use NTLM for authentication)
12: Remote Desktop Gateway – Where clients to not have LOS to domain controllers (This requires the use of IAKerb)
13: And a bunch of third party tools use NTLM, such as Service Now and their discovery process also is hardcoded to use NTLM.
Microsoft stated in this blog post The evolution of Windows authentication | Windows IT Pro Blog (microsoft.com)
Reducing the use of NTLM will ultimately culminate in it being disabled in Windows 11. We are taking a data-driven approach and monitoring reductions in NTLM usage to determine when it will be safe to disable. In the meantime, you can use the enhanced controls we are providing to get a head start. Once disabled by default, customers will also be able to use these controls to reenable NTLM for compatibility reasons.
Also they have published this on the resources for deprecated features, which implies that NTLMv1 and v2 are no longer under development but will work in the next release of Windows Server and next annual release of Windows Client. (Deprecated features in the Windows client | Microsoft Learn)
Also in the latest version of Windows, Microsoft has added the following change to NTLM.
Still NTLM WILL BE AROUND FOR SOME TIME, and when Microsoft disables them by default we will be able to reenable NTLM for compatibility reasons like most features in Windows.
This leaves time for us to audit for the use of NTLM in your environment to see what kind of changes that you would need to do to move over to use of Kerberos instead.
To audit NTLM events in your environment you need to configure some group policy settings.
Network security: Restrict NTLM: Outgoing NTLM traffic to remote servers = Audit All
Network security: Restrict NTLM: Audit NTLM authentication in this domain = Enable all
Network security: Restrict NTLM: Audit Incoming NTLM Traffic = Enable auditing for all accounts
NOTE: Configure “Audit NTLM authentication in this domain” on DC’s only. Configure “Outgoing NTLM traffic to remote servers” and “Audit Incoming NTLM Traffic” on all computers.
NTLM audit events are written out to this event log path:
Event Viewer (Local)\Applications And Services Logs\Microsoft\Windows\NTLM\Operational
This can be then collected using services like Log Analytics. As long as you have the Azure Monitoring Agent installed and have the correct Data Collection Rule configured.
Many of these audit logs, especially EventID 8002 can be used to indicate the usage of NTLM. Some certain services are really happy to use NTLM such as SMB. For instance if you connect to a fileshare using IP instead of FQDN it will default to NTLM. However in most cases the logs for event ID 8002 is pretty useless. EventID 8004 is the main log that we want. Defender for Identity also has an enrichment feature which applies to this EventID as well –> https://learn.microsoft.com/en-us/defender-for-identity/deploy/configure-windows-event-collection#configure-ntlm-auditing
Many of the logs might also be coming from spoolsv or from print services, this can be solved adding the following registry key to the clients using the print service
reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Printers\RPC" /v RpcNamedPipeAuthentication /t REG_DWORD /d 2 /f
Another option if you want to restrict the usage of NTLM from privileged accounts you can use the “Protected Users” group in Active Directory https://learn.microsoft.com/en-us/windows-server/security/credentials-protection-and-management/protected-users-security-group. when you add a user to that Group, the following happens:
1: Credential delegation (CredSSP): Doesn’t cache the user’s plaintext credentials, even when the policy to allow delegation is enabled.
2. Windows Digest: For Windows 8.1 and later, it doesn’t cache plaintext credentials, even if enabled.
3. NTLM: Stops caching plaintext credentials or NT one-way function (NTOWF).
4. Kerberos: No longer creates DES or RC4 keys, and doesn’t cache plaintext credentials or long-term keys after acquiring the initial Ticket Granting Ticket (TGT).
5. Offline sign-in: The system no longer creates cached verifiers at sign-in, meaning offline sign-ins are no longer supported.
And essentially Members of the Protected Users group can only authenticate using Kerberos with Advanced Encryption Standards (AES). In addition there is a new setting to block NTLM from a SMB level as well with Windows Server 2025 and latest Windows 11 build https://learn.microsoft.com/en-us/windows-server/storage/file-server/smb-ntlm-blocking?tabs=group-policy if you still use RDS Gateway you need to deploy a KDC Proxy –> https://syfuhs.net/kdc-proxy-for-remote-access
However you can also add exception for services that cannot switch over to Kerberos using this policy “Network security: Restrict NTLM: Add server exceptions for NTLM authentication in this domain“. NTLM Blocking can also be done via Group Policy for the entire domain.
Just be careful with just blocking NTLM, as one of the PMs Microsoft states “NTLM blocking is no joke. I didn’t bother to discuss how you actually disable NTLM here because you’re not ready to do it yet. NTLM blocking can be a résumé generating event!”