Microsoft confirms spike in NTLM authentication traffic after Windows Server patch

Microsoft's April 2024 security update blues continue with confirmation of a "significant increase" in NTLM authentication traffic in Windows Server.

The issue is caused by installing the update (KB5036909) on domain controllers. NTLM traffic might then suddenly spike.

The problem comes hot on the heels of VPN connection failures in the same update.

According to Microsoft's release health dashboard: "This issue is likely to affect organizations that have a very small percentage of primary domain controllers in their environment and high NTLM traffic."

Microsoft said it is "working on a resolution and will provide an update in an upcoming release." A user could uninstall the patch, but doing so would also remove the security fixes included in the update.

• Microsoft's FOMO after seeing Google AI drove investment in OpenAI
• Microsoft confesses April Windows update breaks some VPN connections
• Microsoft boss charms Indonesia with $1.7B AI, cloud injection
• More big city newspapers drag Microsoft, OpenAI hard in copyright lawsuit

NTLM – New Technology LAN Manager – is a very old suite of Microsoft security protocols designed to authenticate users. Microsoft would like people to stop using the technology, but enterprises cling to it. There is, after all, always that one weird app written decades ago that was hard-coded to use it.

In a blog post on the matter, Microsoft said: "Kerberos has been the default Windows authentication protocol since 2000, but there are still scenarios where it can't be used and where Windows falls back to NTLM."

This is because NTLM doesn't need a local network connection to a DC and will work when the target server is unknown. Both scenarios can be problematic for Kerberos despite the authentication protocol being a good deal more secure. Hence prying enterprises away from NTLM has proven a challenge.

Microsoft said: "Our end goal is eliminating the need to use NTLM at all to help improve the security bar of authentication for all Windows users."

Ramping up traffic on networks of customers who have yet to heed Microsoft's advice is certainly one way of achieving that goal, even though we're pretty sure this wasn't the company's intention. ®