NTLM Overview

Applies to: Windows Server 2022, Windows Server 2019, Windows Server 2016

This topic for the IT professional describes NTLM, any changes in functionality, and provides links to technical resources to Windows Authentication and NTLM for Windows Server.

Feature description

NTLM authentication is a family of authentication protocols that are encompassed in the Windows Msv1_0.dll. The NTLM authentication protocols include LAN Manager version 1 and 2, and NTLM version 1 and 2. The NTLM authentication protocols authenticate users and computers based on a challenge/response mechanism that proves to a server or domain controller that a user knows the password associated with an account. When the NTLM protocol is used, a resource server must take one of the following actions to verify the identity of a computer or user whenever a new access token is needed:

  • Contact a domain authentication service on the domain controller for the computer's or user's account domain, if the account is a domain account.

  • Look up the computer's or user's account in the local account database, if the account is a local account.

Current applications

NTLM authentication is still supported and must be used for Windows authentication with systems configured as a member of a workgroup. NTLM authentication is also used for local logon authentication on non-domain controllers. Kerberos version 5 authentication is the preferred authentication method for Active Directory environments, but a non-Microsoft or Microsoft application might still use NTLM.

Reducing the usage of the NTLM protocol in an IT environment requires both the knowledge of deployed application requirements on NTLM and the strategies and steps necessary to configure computing environments to use other protocols. New tools and settings have been added to help you discover how NTLM is used in order to selectively restrict NTLM traffic. For information about how to analyze and restrict NTLM usage in your environments, see Introducing the Restriction of NTLM Authentication to access the Auditing and restricting NTLM usage guide.

New and changed functionality

There are no changes in functionality for NTLM for Windows Server.

Removed or deprecated functionality

There is no removed or deprecated functionality for NTLM for Windows Server.

Server Manager information

NTLM cannot be configured from Server Manager. You can use Security Policy settings or Group Policies to manage NTLM authentication usage between computer systems. In a domain, Kerberos is the default authentication protocol.

The following table lists relevant resources for NTLM and other Windows authentication technologies.

Content type References
Product evaluation Introducing the Restriction of NTLM Authentication

Changes in NTLM Authentication

Planning IT Infrastructure Threat Modeling Guide

Threats and Countermeasures: Security Settings in Windows Server 2003 and Windows XP

Threats and Countermeasures Guide: Security Settings in Windows Server 2008 and Windows Vista

Threats and Countermeasures Guide: Security Settings in Windows Server 2008 R2 and Windows 7

Deployment Extended Protection for Authentication

Auditing and restricting NTLM usage guide

Ask the Directory Services Team : NTLM Blocking and You: Application Analysis and Auditing Methodologies in Windows 7

Windows Authentication Blog

Configuring MaxConcurrentAPI for NTLM pass-through authentication

Development Microsoft NTLM (Windows)

[MS-NLMP]: NT LAN Manager (NTLM) Authentication Protocol Specification

[MS-NNTP]: NT LAN Manager (NTLM) Authentication: Network News Transfer Protocol (NNTP) Extension

[MS-NTHT]: NTLM Over HTTP Protocol Specification

Updates New NTLM pass-through authentication protections for CVE-2022-21857