About NTLM usage in your environment

Updated: November 21, 2012

Applies To: Windows 7, Windows 8, Windows Server 2008 R2, Windows Server 2012

This topic describes the NTLM authentication protocol, how it is used in Windows environments, and supported scenarios for restricting NTLM in a domain.

How NTLM works

The NTLM Security Support Provider (SSP) includes a number of authentication protocols: LAN Manager, NTLM version 1 (NTLMv1) and NTLM version 2 (NTLMv2). These protocols authenticate users and computers based on a challenge/response mechanism that proves to a server or domain controller that a user knows the password associated with an account. When the NTLM protocol is used, a resource server must take one of the following actions to verify the identity of a computer or user whenever a new access token is needed:

  • Contact a domain authentication service on the domain controller for the computer's or user's account domain, if the account is a domain account.

  • Look up the computer's or user's account in the local account database, if the account is a local account.

NTLM authentication is still supported and must be used for Windows authentication with systems configured as a member of a workgroup. NTLM authentication is also used for local logon authentication on non-domain controllers. Kerberos version 5 authentication is the preferred authentication method for Active Directory environments, but a non-Microsoft or Microsoft application might still use NTLM.

NTLM credentials consist of a domain name or workgroup server name, a user name, and information derived from the user's password. This data is usually obtained by interactive logon and subsequently stored as a hash without sending the user's password over the network. Instead, the user requesting authentication must prove knowledge of the password by computing the response based on the challenge received from the server.

The Windows server and Windows client operating systems support NTLM SSP, msv1_0.dll, for authentication compatibility between systems and applications. NTLM authentication is the default authentication protocol for workgroup environments and non-Microsoft applications. The NTLM SSP can be used for the following:

  • Print services

  • File access using CIFS/SMB

  • Secure RPC/DCOM-based services

Understanding the problems and risks with using NTLM

The Kerberos protocol was promoted in Windows Server 2003 and Windows XP as a stronger authentication protocol using mutual authentication instead of the challenge/response method of NTLM. NTLM has the following vulnerabilities:

  • No server authentication.

  • Weaker cryptography.

  • Slower performance (compared to the Kerberos protocol) on repeated connections to the same server.

  • NTLM is required where server authentication is not possible, such as when a server IP address is required.

Topics in this section

The following topics describe under which conditions you should consider a project that involves reducing NTLM, how you evaluate your environment, and what preparations you should make before undertaking the project.

See Also


Auditing and restricting NTLM usage guide