What is NTLM?

Windows New Technology LAN Manager (NTLM) is a suite of Microsoft security protocols that handles authentication, integrity, and confidentiality for users in Windows environments. NTLM succeeded the older LAN Manager (LM) protocol and shipped with Windows NT before becoming a standard component across the Windows ecosystem.

What NTLM is used for

NTLM authenticates users accessing resources within a Windows domain without requiring them to re-enter credentials for each request. It also runs across several Microsoft products including Exchange Server, Internet Information Services (IIS), and SharePoint.

How NTLM authentication works

NTLM uses a three-step challenge/response mechanism:

• Negotiation: The client sends a Type-1 message to the server declaring its supported NTLM features. The server responds with a Type-2 message containing its own supported features and a challenge value called a nonce.

• Challenge: The client combines the server's challenge with the user's credentials to produce an encrypted NTLM hash, then sends it back as a Type-3 message alongside the username and domain.

• Authentication: The server compares the received hash against its stored credential hash for that user. A match confirms identity and grants access to the requested resource.

NTLM uses MD4 and RC4 hashing and encryption algorithms to protect authentication data in transit.

Security vulnerabilities

NTLM carries several well-documented weaknesses that have driven its gradual replacement.

• Pass-the-Hash attacks exploit the fact that NTLM stores credentials as hashed values. An attacker who captures a valid NTLM hash can use it directly to impersonate the user without ever cracking the underlying password.

• Brute force attacks target NTLM hashes offline. Once an attacker has a hash, they can systematically test password combinations against it without any rate limiting from the target system.

• Relay attacks allow an attacker to intercept NTLM authentication messages and forward them between client and server, potentially gaining access to resources by proxying a legitimate authentication session.

NTLM vs. Kerberos

Kerberos was developed to address NTLM's limitations and is now the default authentication protocol in modern Windows environments.

• Authentication mechanism: NTLM uses challenge/response. Kerberos uses a ticket-based system where the Key Distribution Center (KDC) issues a ticket-granting ticket (TGT) after initial authentication. Clients use that TGT to request service tickets for specific resources, keeping credentials out of repeated network exchanges.

• Security: Kerberos provides mutual authentication, meaning both client and server verify each other's identity. This blocks the relay attacks that NTLM is vulnerable to, and the ticket-based model eliminates the pass-the-hash exposure inherent in NTLM.

• Performance and scalability: Kerberos centralizes authentication management through the KDC, which scales well in large networks. NTLM's peer-to-peer model creates overhead and management complexity as networks grow.

• Compatibility: NTLM remains present in Windows environments for backward compatibility with older systems. Most modern Windows deployments support both protocols, but Microsoft has been progressively deprioritizing NTLM in favor of Kerberos across its products and services.

Organizations running Windows networks are advised to migrate to Kerberos where possible, retaining NTLM only where legacy system compatibility requires it.