Microsoft Strengthens Default Security Posture Against NTLM Relay Attacks
Microsoft has announced significant enhancements to its default security configuration, aimed at mitigating the risk of NTLM relay attacks across its ecosystem. In a recent blog post, the company detailed its proactive approach to addressing this persistent threat vector.
NTLM relay attacks, a technique employed by malicious actors to compromise user identities, involve coercing authentication from a victim and relaying those credentials to a vulnerable target. This allows attackers to impersonate the victim and perform unauthorized actions.
To combat this, Microsoft has prioritized enabling Extended Protection for Authentication (EPA) and channel binding by default in critical services. This initiative began with Exchange Server 2019 CU 14 earlier this year and now includes Active Directory Certificate Services (AD CS) and LDAP with the release of Windows Server 2025.
“With the security-focused default settings for EPA on Exchange Server 2019 CU14 released earlier this year and for AD CS and LDAP released as part of Windows Server 2025, we have enforced strong defenses against preventing NTLM relay attacks on those versions,” the blog post states.
These enhancements mark a significant step in bolstering default security, as they automatically protect users without requiring manual configuration by administrators. Previously, enabling these protections necessitated manual intervention, potentially leaving some environments vulnerable.
While Microsoft acknowledges NTLM as a legacy protocol and recommends transitioning to modern authentication protocols like Kerberos, the company is committed to hardening NTLM against attacks in the interim. This includes removing NTLMv1 and deprecating NTLMv2 in Windows Server 2025 and Windows 11 24H2.
“As we progress towards disabling NTLM by default, immediate, short-term changes, such as enabling EPA in Exchange Server, AD CS and LDAP reinforce a ‘secure by default’ posture and safeguard users from real-world attacks,” Microsoft affirms.
This proactive security strategy aligns with Microsoft’s Secure Future Initiative, which emphasizes building secure systems by default. By prioritizing default security enhancements, Microsoft is reducing the burden on users and administrators while proactively mitigating the risk of NTLM relay attacks across its platform.
