Microsoft implemented Kerberos in order to move away from some of NTLM's security issues, but Kerberos works with RC4-HMAC to allow for compatibility with older systems.
The company couldn't immediately be reached for comment, but it acknowledged weaknesses in NTLM in a 2012 technical paper.
In May, Microsoft released a patch which contained improvements that make it harder to steal NTLM hashes. The company has also suggested that organizations use smart cards or disable Kerberos RC4-HMAC support on all domain controllers, but it is possible that could break some functionality.
Be'ery said quirks in Active Directory can cause it to downgrade to NTLM, which makes it hard for organizations to shut it off.
"It's not really a practical solution," he said.
For example, if a person is trying to access a network resource using its IP address instead of its name, Active Directory will use NTLM even if the organization is on the latest version of Windows, Be'ery said.
Aorato contends that more could be done around logging events that might indicate malicious behavior, such as specifying the encryption algorithm used for a password change.
"Although Windows had created a relatively verbose Kerberos event logging system, it fails to show the pertinent attack information," the company wrote. "As a result, the logs lack indication of something fishy going on."
Sign up for Computerworld eNewsletters.