Microsoft has rolled out new protections to counter NTLM relay attacks. These changes tighten the security of an old authentication protocol that, let’s face it, is still hanging around like that one office chair no one wants to replace.
What Is NTLM, and Why Does It Need Help?
NTLM, or New Technology LAN Manager, is an authentication protocol Microsoft created ages ago. It uses a challenge-response process where a user proves their identity by responding to a server’s “challenge.” This response includes a hashed version of their password, which attackers love to intercept and misuse.
Despite Kerberos becoming the default in 2000, NTLM hasn’t gone away. Many organizations, stuck with older systems, still use it. This makes NTLM a bit like the floppy disk of authentication protocols—functional but far from ideal.
How NTLM Relay Attacks Work
Hackers exploit NTLM’s weaknesses by relaying authentication attempts to trick systems. Here’s the short version:
- They bait the victim. Hackers embed malicious links in Office documents or emails.
- They capture the hash. When the victim clicks the link, their system sends an NTLM hash to the hacker’s server.
- They relay the hash. Hackers use the hash to access resources, no password cracking needed.
It’s simple, effective, and just as sneaky as it sounds.
Microsoft’s Counterattack: New Features
To fight back, Microsoft introduced Extended Protection for Authentication (EPA) in Windows Server 2025. It’s like giving NTLM a security bodyguard. Here’s what’s new:
- EPA Default Settings: EPA is enabled by default, but admins can crank up the security with stricter options.
- LDAP Channel Binding: This ensures secure, verified connections for LDAP communications.
- Audit Tools: Admins can identify systems that don’t support secure configurations, making upgrades smoother.
- Exchange Server Updates: EPA now comes standard with Exchange Server 2019 and can be enabled on older versions like 2016.
How Hackers Exploit NTLM
NTLM is vulnerable in many places, especially in documents and emails. Here’s an example:
- Office Documents: Hackers add malicious UNC links (Universal Naming Convention) to files.
- What Happens Next: The victim opens the file, their system authenticates using NTLM, and the hacker steals the hash.
- Recent Exploits: Vulnerabilities like CVE-2024-21413 show how hackers use this method to gain access to sensitive systems.
It’s like the digital equivalent of handing your car keys to someone who promises they’re just borrowing them.
How to Protect Your Systems
While NTLM isn’t leaving anytime soon, you can make it harder for hackers:
- Disable NTLM: If you can, switch to Kerberos.
- Enable EPA: Update your system settings to make NTLM more secure.
- Follow Best Practices: Microsoft recommends disabling risky features like Web services on Active Directory Certificate Services and enabling SMB signing.
NTLM isn’t the best, but it’s still around. Microsoft’s updates show progress, but the ultimate goal is to phase it out entirely. Until then, treat NTLM like that leftover Halloween candy—it might still be okay, but proceed with caution.
Hackers may be clever, but with these updates, they’ll have to work a little harder. And really, who doesn’t love making a hacker’s day just a bit worse?
Martin Baker
Martin Baker, Managing Editor at Decoded.cc, harnesses a decade of digital publishing expertise to craft engaging content around technology, data, and culture. He leads cross-functional teams, enforces editorial excellence, and transforms complex ideas into accessible narratives—fueling Decoded.cc’s growth and impact.
Leave a Reply