CyberHappenings logo
Home Browse Watchlists Experimental About

Track cybersecurity events as they unfold. Sourced timelines. Filter, sort, and browse. Fast, privacy‑respecting. No invasive ads, no tracking.

Microsoft to Disable NTLM by Default in Future Windows Releases

First reported
Last updated
2 unique sources, 2 articles

Summary

Hide ▲

Microsoft plans to disable the 30-year-old NTLM authentication protocol by default in upcoming Windows releases due to its security vulnerabilities. NTLM, introduced in 1993, has been widely exploited in attacks such as NTLM relay and pass-the-hash attacks. Microsoft is transitioning to Kerberos-based authentication, which is more secure. The company has outlined a three-phase transition plan to mitigate risks and minimize disruption. NTLM has been a fallback authentication method when Kerberos is unavailable, but its weak cryptography and vulnerabilities make it a target for attackers. Microsoft's move aims to enhance security by default in future Windows Server and client versions. NTLM was formally deprecated in June 2024 and no longer receives updates. The transition is part of Microsoft's efforts to move toward a passwordless, phishing-resistant future.

Timeline

  1. 30.01.2026 19:08 2 articles · 3d ago

    Microsoft Announces Three-Phase Transition Plan to Disable NTLM by Default

    Microsoft has outlined a three-phase transition plan to disable NTLM by default in future Windows releases. Phase one involves enhanced auditing tools in Windows 11 24H2 and Windows Server 2025 to identify NTLM usage. Phase two, scheduled for the second half of 2026, will introduce new features like IAKerb and a Local Key Distribution Center to address NTLM fallback scenarios. Phase three will disable network NTLM by default in future releases, though it can be re-enabled through policy controls if needed. NTLM was formally deprecated in June 2024 and no longer receives updates. Microsoft continues to find the use of NTLM prevalent in enterprise environments due to legacy dependencies, network limitations, or ingrained application logic. The transition is part of Microsoft's efforts to move toward a passwordless, phishing-resistant future.

    Show sources
    Open in new tab

Information Snippets

Similar Happenings

Windows Authentication Failures Due to Duplicate Security Identifiers

Windows updates released since August 29, 2025, have introduced authentication failures on systems with duplicate Security Identifiers (SIDs). These updates enforce stricter SID checks, causing Kerberos and NTLM authentication to fail on affected devices. The issue impacts Windows 11 (24H2 and 25H2) and Windows Server 2025, leading to various login and access problems. Duplicate SIDs often result from improperly cloned or duplicated Windows installations. Microsoft recommends rebuilding affected systems using supported cloning methods or applying a temporary Group Policy fix obtained through Microsoft Support.

Open in new tab

Credential Theft via Legacy Windows Protocols in Local Networks

Legacy Windows communication protocols, specifically Link-Local Multicast Name Resolution (LLMNR) and NetBIOS Name Service (NBT-NS), continue to expose organizations to credential theft. Attackers can capture login data by being on the same local network as their targets, leveraging tools like Responder to intercept authentication data. This method does not exploit software vulnerabilities but relies on default Windows behavior. The captured data can be cracked offline or reused in relay attacks, providing access to corporate databases, file servers, and administrative systems. Once attackers obtain valid credentials, they can move laterally across the network, escalate privileges, and disrupt critical business services. Organizations are advised to disable LLMNR and NBT-NS, enforce secure authentication methods, and monitor for unusual traffic on these protocols.

Open in new tab

Senator Wyden calls for FTC probe into Microsoft's alleged ransomware-related cybersecurity negligence

U.S. Senator Ron Wyden has called for an FTC investigation into Microsoft's alleged cybersecurity negligence, which he claims enabled ransomware attacks on U.S. critical infrastructure, including healthcare networks. The call follows a ransomware attack on Ascension, a healthcare system, which resulted in the theft of personal and medical information of nearly 5.6 million individuals. The attack was attributed to the Black Basta ransomware group and exploited insecure default settings in Microsoft software. The breach occurred in May 2024 when a contractor clicked on a malicious Bing Search result in Microsoft Edge, leading to a Kerberoasting attack. Attackers used Kerberoasting to extract encrypted service account credentials from Active Directory, leveraging the vulnerabilities in RC4. Wyden's letter to the FTC highlights Microsoft's continued support for RC4, an outdated encryption standard, and its failure to enforce secure password policies for privileged accounts. Microsoft has acknowledged the issues and plans to deprecate RC4 in future updates, but Wyden argues that these measures are insufficient to protect against ongoing threats.

Open in new tab

EPM Poisoning Exploit Chain in Windows RPC Enables Domain Privilege Escalation

Researchers have disclosed a now-patched vulnerability in the Windows Remote Procedure Call (RPC) protocol that could be exploited to conduct spoofing attacks and escalate privileges within a domain. The flaw, tracked as CVE-2025-49760, allows attackers to manipulate the Endpoint Mapper (EPM) to impersonate legitimate services and coerce protected processes into authenticating against malicious servers. The attack chain involves registering known interfaces of core services and exploiting delayed-start services to hijack RPC interfaces. Microsoft patched the vulnerability in July 2025. The exploit chain can lead to domain privilege escalation through an ESC8 attack, leveraging NTLM hashes and Kerberos Ticket-Granting Tickets (TGTs).

Open in new tab