Nightmare on NTLM street: Legacy’s Revenge
2025-10-23 , Europe

We know the world runs on legacy. We know it’s not supposed to. But when vendors or LinkedInfluencers command us to phase out old systems and protocols, it sometimes seems like their expectation-versus-reality connection is faulty.

This talk will walk you through the ~adventure~ of disabling a recently-deprecated Microsoft authentication protocol with numerous security problems: NTLM.

For decision-makers, this is an opportunity to better understand the struggles of on-the-ground IT and security teams trying to bring outdated systems in line with industry standards. For IT and information security peers, this presentation will share valuable resources and “lessons learned” for successfully phasing out NTLM (and similar thorns-in-sides) within their own organizations.


Microsoft introduced NT Lan Manager in 1993 as a replacement for LANMAN, born in 1987. Just seven years later, they announced Kerberos as the default replacement for NTLM and instructed companies to stop using it. No one did. Now, in June 2024, Microsoft has announced the deprecation of the entire NTLM authentication protocol family, and even removed older versions from newer OS versions.

Why is this legacy protocol still so widely used, 24 years after it stopped being the default replacement? The answer is a combination of factors, some of which this talk will explore:
- corporate communication and decision-making
- application development lagging behind security standards
- flaws in the replacement protocol
- underfunded, understaffed, and overwhelmed IT teams

Having completed this project in the IT environment of a mid-sized enterprise, this presentation will also discuss resources and lessons learned that could help get the job done elsewhere. It will also illustrate to those outside the field why IT and security are critical business functions, not cost centers.

Marina Bochenkova wears many hats as a cybersecurity analyst focusing on digital forensics, incident response, and OT security, while also dabbling in security awareness and culture. She combines a passion for protecting people, a strong belief in digital privacy as a human right, and an overly-enthusiastic approach to problem-solving. When not defending digital spaces, Marina actively nurtures her already-unhealthy obsession with cats and resorts to baking or martial arts when desperate.

This speaker also appears in: