Microsoft on Monday confirmed its plans to deprecate NT LAN Manager (NTLM) in Windows 11 in the second half of the year, as it announced a slew of new security measures to harden the widely-used desktop operating system.
“Deprecating NTLM has been a huge ask from our security community as it will strengthen user authentication, and deprecation is planned in the second half of 2024,” the tech giant said.
The Windows maker originally announced its decision to drop NTLM in favor of Kerberos for authentication in October 2023.
NTLM’s lack of support for cryptographic methods such as AES or SHA-256 notwithstanding, the protocol has also been rendered susceptible to relay attacks, a technique that has been widely exploited by the Russia-linked APT28 actor via zero-day flaws in Microsoft Outlook.
Other changes coming to Windows 11 include enabling Local Security Authority (LSA) protection by default for new consumer devices and the use of virtualization-based security (VBS) to secure Windows Hello technology.
Smart App Control, which protects users from running untrusted or unsigned applications, has also been upgraded with an artificial intelligence (AI) model to determine the safety of apps and block those that are unknown or contain malware.
Complementing Smart App Control is a new end-to-end solution called Trusted Signing that allows developers to sign their apps and simplifies the entire certificate signing process.
Some of the other noteworthy security improvements are as follows –
- Win32 app isolation, which is designed to contain damage in the event of an application compromise by creating a security boundary between the application and the operating system
- Limit abuse of admin privileges by requesting for user’s explicit approval
- VBS enclaves for third-party developers to create trusted execution environments
Microsoft further said it’s making Windows Protected Print Mode (WPP), which it unveiled in December 2023 as a way to counter the risks posed by the privileged Spooler process and secure the printing stack, the default print mode in the future.
In doing so, the idea is to run the Print Spooler as a restricted service and drastically limit its appeal as a pathway for threat actors to gain elevated permissions on a compromised Windows system.
Redmond also said it will no longer trust TLS (transport layer security) server authentication certificates with RSA keys less than 2048 bits due to “advancements in computing power and cryptanalysis.”
Capping off the list of security features is Zero Trust Domain Name System (ZTDNS), which aims to help commercial customers lock down Windows within their networks by natively restricting Windows devices to connect only to approved network destinations by domain name.
These improvements also follow criticism of Microsoft’s security practices that allowed nation-state actors from China and Russia to breach its Exchange Online environment, with a recent report from the U.S. Cyber Safety Review Board (CSRB) noting that the company’s security culture requires an overhaul.
In response, Microsoft has outlined sweeping changes to prioritize security above all else as part of its Secure Future Initiative (SFI) and hold senior leadership directly accountable for meeting cybersecurity goals.
Google, for its part, said the CSRB report “underscores a long overdue, urgent need to adopt a new approach to security,” calling on governments to procure systems and products that are secure-by-design, enforce security recertifications for products suffering major security incidents, and be aware of risks posed by monoculture.
“Using the same vendor for operating systems, email, office software, and security tooling […] raises the risk of a single breach undermining an entire ecosystem,” the company said.
“Governments should adopt a multi-vendor strategy and develop and promote open standards to ensure interoperability, making it easier for organizations to replace insecure products with those that are more resilient to attack.”