Microsoft on Monday confirmed plans to phase out NT LAN Manager (NTLM) in Windows 11 in the second half of the year, as it announced a set of new security measures to strengthen the widely used desktop operating system.
“The deprecation of NTLM has been a huge request from our security community as it will strengthen user authentication and the retirement is planned for the second half of 2024,” the tech giant said.
The Windows maker initially announced its decision to ditch NTLM in favor of Kerberos for authentication in October 2023.
Despite NTLM’s lack of support for cryptographic methods such as AES or SHA-256, the protocol is also made vulnerable to relay attacks, a technique widely used by Russian-linked actor APT28 via Microsoft Outlook zero-day vulnerabilities.
Other changes coming to Windows 11 include enabling Local Security Authority (LSA) security by default for new user devices and using Virtualization-Based Security (VBS) to protect Windows Hello technology.
Smart App Control, which protects users from running untrusted or unsigned apps, has also been upgraded with an artificial intelligence (AI) model to determine the safety of apps and block those that are unknown or contain malware.
Complementing Smart App Control is a new end-to-end solution called Trusted Signing that allows developers to sign their apps and simplifies the entire certificate signing process.
Some of the other notable security improvements are as follows –
- Win32 application isolation, which is designed to protect against harm in the event of an application being compromised by creating a security boundary between the application and the operating system
- Limit abuse of administrative privileges by requesting explicit user approval
- VBS enclaves for third-party developers to create reliable execution environments
Additionally, Microsoft said it is making Windows Protected Printing Mode (WPP), which it introduced in December 2023 as a way to counter risks posed by the privileged spooler process and protect the print stack, the default printing mode in the future.
Thus, the idea is to run Print Spooler as a limited service and drastically limit its appeal as a way for threats to gain elevated permissions on a compromised Windows system.
Redmond also said it would no longer trust TLS (Transport Layer Security) server certificates for authentication with RSA keys smaller than 2048 bits because of “advances in computing power and cryptanalysis.”
Completing the list of security features is the Zero Trust Domain Name System (ZTDNS), which aims to help commercial customers lock down Windows on their networks by naturally restricting Windows devices from connecting to only approved network destinations via name domain.
These improvements also follow criticism of Microsoft’s security practices that allowed nation-state actors from China and Russia to breach the Exchange Online environment, with a recent report from the US Cybersecurity Review Board (CSRB) noting that the security culture of the company requires an overhaul.
In response, Microsoft outlined sweeping changes to prioritize security above all else as part of its Secure Futures Initiative (SFI) and hold senior management directly accountable for achieving cybersecurity goals.
Google, for its part, said the CSRB report “highlights the long-overdue, urgent need to adopt a new approach to security,” calling on governments to ensure systems and products are secure by design, mandate security recertification for products suffering from serious security incidents and be aware of the risks posed by monoculture.
“Using the same vendor for operating systems, email, office software and security tools […] it raises the risk of a single breach undermining an entire ecosystem,” the company said.
“Governments should adopt a multi-vendor strategy and develop and promote open standards to ensure interoperability, making it easier for organizations to replace insecure products with ones that are more resistant to attack.”
