This migration represents a massive shift in security for Windows systems and could come with some challenges and costs. Legacy systems, hardcoded authentication, embedded systems like HVAC controllers, and hidden ‘fallback’ configurations can take time to identify and fix.

What’s involved in migration? 

Before NTLM can be disabled, MSPs and IT teams must first identify where it is being used. This is investigative work that is supported by the new enhanced auditing features. The process may be time-consuming, especially if NTLM is only used during specific times or events.

Anything using NTLM must be tested with NTLM disabled. This can involve setting up the test environments, configuring Kerberos authentication and working with end-users to validate functionality.

When everything has been tested, migration from NTLM to Kerberos could be handled through a group policy or it could require upgrades or code changes. MSPs and IT teams may need to coordinate with multiple vendors and support teams. There may be unexpected delays that extend the timeline of the project.

Just like any other IT project, there should be a period of monitoring and communication to identify and address any unexpected effects on users. This is a good time to document new procedures or policies and train anyone who may need to address issues as they arise.  

Ongoing monitoring after the project will help ensure that NTLM is not reintroduced into the network.

NTLM is a security risk

NTLM is exploited by dozens of threat groups like Volt Typhoon, Scattered Spider, Wizard Spider and Dragonfly. The hash-based authentication model is a root enabler for attacks that lead to ransomware or advanced persistent threat (APT) intrusions. Still, Microsoft continues to find the use of NTLM “prevalent in enterprise environments where modern protocols like Kerberos cannot be implemented due to legacy dependencies, network limitations, or ingrained application logic.” Hopefully these organizations are actively working to eliminate NTLM dependencies.

Companies may not want to invest in an NTLM project, especially if they have just invested in a bunch of new Windows 11 machines. It can also be tough to explain NTLM to a non-technical audience. Still, NTLM is a business risk and business leaders usually do understand the impacts of a ransomware attack. Moving to Kerberos authentication is a strategic security investment with long-term benefits, and it should be done as soon as possible.