Microsoft Announces Deprecation of NTLM Authentication Protocol
Executive Summary
In June 2024, Microsoft announced the deprecation of the NTLM authentication protocol, ceasing its active development and urging organizations to transition to more secure alternatives like Kerberos. This decision was driven by NTLM's inherent security vulnerabilities, including susceptibility to relay attacks and lack of support for modern cryptographic methods. The deprecation process began in early 2025, with phased reductions in support throughout the year, aiming for complete removal by the end of 2027. Organizations relying on NTLM are advised to assess their authentication mechanisms and plan migrations to more secure protocols to mitigate potential security risks. (threatdown.com)
The deprecation of NTLM underscores a broader industry shift towards enhancing authentication security. As cyber threats evolve, legacy protocols like NTLM become prime targets due to their known weaknesses. This move aligns with Microsoft's Secure Future Initiative, emphasizing the importance of adopting robust authentication methods to safeguard against emerging threats. (microsoft.com)
Why This Matters Now
The deprecation of NTLM is critical as it addresses longstanding security vulnerabilities that have been exploited in various attacks. Organizations must act promptly to transition to more secure authentication protocols to protect against potential breaches and align with industry best practices.
Attack Path Analysis
An attacker exploited the NTLM authentication protocol to gain initial access to the network. They then escalated privileges by capturing and reusing NTLM hashes. Using these credentials, the attacker moved laterally across the network to access sensitive systems. They established command and control channels to maintain persistent access. Subsequently, they exfiltrated sensitive data from the compromised systems. Finally, the attacker disrupted operations by deploying ransomware, encrypting critical files and demanding payment.
Kill Chain Progression
Initial Compromise
Description
The attacker exploited vulnerabilities in the NTLM authentication protocol to gain unauthorized access to the network.
Related CVEs
CVE-2025-24054
CVSS 5.4An external control of file name or path vulnerability in Windows NTLM allows an unauthorized attacker to perform spoofing over a network.
Affected Products:
Microsoft Windows NTLM – All versions prior to March 2025 patch
Exploit Status:
exploited in the wild
MITRE ATT&CK® Techniques
Valid Accounts
Use Alternate Authentication Material
Brute Force
Modify Authentication Process
Adversary-in-the-Middle
Application Layer Protocol
Potential Compliance Exposure
Mapping incident impact across multiple compliance frameworks.
PCI DSS 4.0 – Strong Authentication for Users and Administrators
Control ID: 8.2.2
NYDFS 23 NYCRR 500 – Multi-Factor Authentication
Control ID: 500.12
DORA – ICT Risk Management Framework
Control ID: Article 6
CISA ZTMM 2.0 – Identity and Access Management
Control ID: Identity Pillar
NIS2 Directive – Cybersecurity Risk Management Measures
Control ID: Article 21
Sector Implications
Industry-specific impact of the vulnerabilities, including operational, regulatory, and cloud security risks.
Banking/Mortgage
NTLM deprecation impacts legacy authentication systems critical for secure financial transactions, requiring urgent zero trust segmentation and egress security implementations.
Health Care / Life Sciences
Authentication protocol vulnerabilities threaten HIPAA compliance requiring immediate east-west traffic security and encrypted communications to protect sensitive patient data flows.
Government Administration
Legacy NTLM dependencies in government systems create critical security gaps necessitating multicloud visibility controls and threat detection capabilities for national security.
Financial Services
Windows authentication changes demand comprehensive policy enforcement and anomaly detection systems to prevent lateral movement and data exfiltration in financial networks.
Sources
- Microsoft to disable NTLM by default in future Windows releaseshttps://www.bleepingcomputer.com/news/microsoft/microsoft-to-disable-ntlm-by-default-in-future-windows-releases/Verified
- Upcoming changes to NTLMv1 in Windows 11, version 24H2 and Windows Server 2025https://support.microsoft.com/en-us/topic/upcoming-changes-to-ntlmv1-in-windows-11-version-24h2-and-windows-server-2025-c0554217-cdbc-420f-b47c-e02b2db49b2eVerified
- Mitigating NTLM Relay Attacks by Defaulthttps://www.microsoft.com/en-us/msrc/blog/2024/12/mitigating-ntlm-relay-attacks-by-default/Verified
Frequently Asked Questions
Cloud Native Security Fabric Mitigations and ControlsCNSF
Aviatrix Zero Trust CNSF is pertinent to this incident as it could have constrained the attacker's lateral movement and data exfiltration by enforcing strict segmentation and identity-aware policies, thereby reducing the blast radius of the breach.
Control: Cloud Native Security Fabric (CNSF)
Mitigation: The attacker's initial access may have been limited by enforcing identity-aware policies that restrict unauthorized authentication attempts.
Control: Zero Trust Segmentation
Mitigation: The attacker's ability to escalate privileges could have been constrained by segmenting network access based on strict identity verification.
Control: East-West Traffic Security
Mitigation: The attacker's lateral movement may have been restricted by monitoring and controlling east-west traffic between workloads.
Control: Multicloud Visibility & Control
Mitigation: The attacker's command and control channels could have been detected and disrupted through enhanced visibility and control across multicloud environments.
Control: Egress Security & Policy Enforcement
Mitigation: The attacker's data exfiltration efforts may have been thwarted by enforcing strict egress policies that monitor and control outbound data flows.
The attacker's ability to deploy ransomware and encrypt critical files could have been limited by restricting unauthorized access to sensitive systems and data.
Impact at a Glance
Affected Business Functions
- User Authentication
- Network Security
- Access Control
Estimated downtime: N/A
Estimated loss: N/A
Potential exposure of user credentials due to NTLM vulnerabilities.
Recommended Actions
Key Takeaways & Next Steps
- • Implement Zero Trust Segmentation to restrict lateral movement and limit access to critical systems.
- • Deploy East-West Traffic Security controls to monitor and prevent unauthorized internal communications.
- • Utilize Egress Security & Policy Enforcement to control outbound traffic and prevent data exfiltration.
- • Enhance Threat Detection & Anomaly Response capabilities to identify and respond to suspicious activities promptly.
- • Transition from NTLM to more secure authentication protocols like Kerberos to mitigate authentication vulnerabilities.
