Eliminating NTLM in Storage: Modernizing SMB Authentication on Windows
NTLM (NT LAN Manager) remains prevalent in storage environments, including SMB, where it’s often used to authenticate access to shared folders, NAS devices, and legacy systems that do not support Kerberos. However, NTLM carries significant security risks, such as susceptibility to relay, pass-the-hash, and brute-force attacks. Windows is now undergoing a transformation to eliminate NTLM, focusing on modernizing on-prem authentication by strengthening Kerberos and introducing new capabilities that close gaps where NTLM is traditionally required.
Our proposed talk will provide an in-depth technical exploration of three key innovations driving a future without NTLM: IAKerb/Local KDC, Auditing, and Auto-Redirect. These features are essential to enabling SMB and other storage protocols to operate securly without NTLM. IAKerb/Local KDC fill functional gaps in Kerberos, specifically in cross-forest and non-domains scenarios. Enhanced auditing provides the insight (and confidence) to turn off NTLM where it’s no longer needed, and auto-Redirect catches any stragglers, ensuring that even if code hasn’t caught up, the system will do the right thing.
Attendees will walk away with a clear understanding of how these features interoperate to secure SMB and reduce dependency on NTLM across storage environments. We’ll provide protocol flow diagrams, audit log samples, and architectural insights into redirect behavior.
