About NTLM usage in your environment
Updated: November 21, 2012
Applies To: Windows 7, Windows 8, Windows Server 2008 R2, Windows Server 2012
This topic describes the NTLM authentication protocol, how it is used in Windows environments, and supported scenarios for restricting NTLM in a domain.
How NTLM works
The NTLM Security Support Provider (SSP) includes a number of authentication protocols: LAN Manager, NTLM version 1 (NTLMv1) and NTLM version 2 (NTLMv2). These protocols authenticate users and computers based on a challenge/response mechanism that proves to a server or domain controller that a user knows the password associated with an account. When the NTLM protocol is used, a resource server must take one of the following actions to verify the identity of a computer or user whenever a new access token is needed:
Contact a domain authentication service on the domain controller for the computer's or user's account domain, if the account is a domain account.
Look up the computer's or user's account in the local account database, if the account is a local account.
NTLM authentication is still supported and must be used for Windows authentication with systems configured as a member of a workgroup. NTLM authentication is also used for local logon authentication on non-domain controllers. Kerberos version 5 authentication is the preferred authentication method for Active Directory environments, but a non-Microsoft or Microsoft application might still use NTLM.
NTLM credentials consist of a domain name or workgroup server name, a user name, and information derived from the user's password. This data is usually obtained by interactive logon and subsequently stored as a hash without sending the user's password over the network. Instead, the user requesting authentication must prove knowledge of the password by computing the response based on the challenge received from the server.
The Windows server and Windows client operating systems support NTLM SSP, msv1_0.dll, for authentication compatibility between systems and applications. NTLM authentication is the default authentication protocol for workgroup environments and non-Microsoft applications. The NTLM SSP can be used for the following:
Print services
File access using CIFS/SMB
Secure RPC/DCOM-based services
Understanding the problems and risks with using NTLM
The Kerberos protocol was promoted in Windows Server 2003 and Windows XP as a stronger authentication protocol using mutual authentication instead of the challenge/response method of NTLM. NTLM has the following vulnerabilities:
No server authentication.
Weaker cryptography.
Slower performance (compared to the Kerberos protocol) on repeated connections to the same server.
NTLM is required where server authentication is not possible, such as when a server IP address is required.
Topics in this section
The following topics describe under which conditions you should consider a project that involves reducing NTLM, how you evaluate your environment, and what preparations you should make before undertaking the project.
Supported scenarios for restricting NTLM in a domain
This reference topic describes the possible scenarios for setting the security policies to restrict NTLM authentication in a domain.
Evaluating your environment for NTLM reduction
This topic describes what you need to consider when evaluating your IT environment for reducing usage of NTLM by using available tools.
Preparations for assessing NTLM usage
This topic describes design and planning considerations you need to address when reducing NTLM usage in your environment.