On Monday, Microsoft revealed its intent to phase out NT LAN Manager (NTLM) in Windows 11 during the latter half of the year, as part of a comprehensive update introducing new security measures to fortify the popular desktop operating system.
“Phasing out NTLM has been a significant demand from our security community. This move will enhance user authentication, and deprecation is scheduled for the second half of 2024,” stated the tech behemoth.
Initially, Microsoft announced its shift from NTLM to Kerberos for authentication in October 2023.
NTLM’s vulnerabilities, including its lack of support for advanced cryptographic techniques like AES or SHA-256 and susceptibility to relay attacks, have been exploited by the Russia-linked APT28 group via zero-day vulnerabilities in Microsoft Outlook.
Upcoming changes in Windows 11 also include enabling Local Security Authority (LSA) protection by default for new consumer devices and implementing virtualization-based security (VBS) to safeguard Windows Hello technology.
Smart App Control, which prevents users from running untrusted or unsigned applications, will now incorporate an artificial intelligence (AI) model to assess app safety and block those that are unknown or malicious.
In tandem with Smart App Control, a new end-to-end solution called Trusted Signing will allow developers to sign their apps, streamlining the certificate signing process.
Other notable security enhancements include:
- Win32 app isolation, designed to contain damage in the event of an application compromise by establishing a security boundary between the application and the operating system.
- Measures to limit the abuse of administrative privileges by requiring explicit user approval.
- VBS enclaves for third-party developers to create trusted execution environments.
Microsoft also announced that Windows Protected Print Mode (WPP), introduced in December 2023 to mitigate risks posed by the privileged Spooler process and secure the printing stack, will become the default print mode.
This measure aims to run the Print Spooler as a restricted service, significantly reducing its attractiveness as a vector for threat actors to gain elevated permissions on compromised Windows systems.
Additionally, Microsoft will cease to trust TLS (transport layer security) server authentication certificates with RSA keys less than 2048 bits, due to “advancements in computing power and cryptanalysis.”
Rounding out the list of security features is Zero Trust Domain Name System (ZTDNS), designed to help commercial customers secure Windows within their networks by natively restricting Windows devices to connect only to approved network destinations by domain name.
These improvements come in the wake of criticism regarding Microsoft’s security practices, which allowed nation-state actors from China and Russia to breach its Exchange Online environment. A recent report from the U.S. Cyber Safety Review Board (CSRB) highlighted the need for an overhaul of the company’s security culture.
In response, Microsoft has outlined significant changes to prioritize security as part of its Secure Future Initiative (SFI), holding senior leadership accountable for meeting cybersecurity objectives.
Google, in response to the CSRB report, emphasized the urgent need for a new approach to security. The company urged governments to procure systems and products that are secure-by-design, enforce security recertifications for products with major security incidents, and be aware of the risks posed by relying on a single vendor.
“Using the same vendor for operating systems, email, office software, and security tools increases the risk of a single breach compromising an entire ecosystem,” Google stated.
“Governments should adopt a multi-vendor strategy and promote open standards to ensure interoperability, making it easier for organizations to replace insecure products with those more resilient to attacks.”
