Monday, September 20, 2021

Microsoft warns of credential-stealing NTLM relay attacks against Windows domain controllers

Microsoft recommends that you disable NTLM authentication on Windows domain controllers to prevent PetitPotam.


Image: iStockphoto/ipopba

Microsoft has issued an alert regarding a threat to Windows domain controllers. This would allow attackers access to NTLM (NT LAN Manager), credentials and certificates. In an advisory, Microsoft warned that PetitPotam could be used to attack Windows domain controllers as well as other Windows servers.

SEE: Checklist: How to secure Windows 10 systems (TechRepublic Premium)

Discovered and tested in France by Gilles Lionel (known via Twitter as @topotamAccording to The Record tech news site, PetitPotam exploits a Windows security hole through which an attacker could force a Windows Server to share NTLM authentication information and certificates.

The Record described it as a classic NTLM relay attack. It involves the abuse of a Windows protocol called MS-EFSRPC that allows computers to work with encrypted data on remote networks.

An attacker can trick the targeted server to share credential authentication details by sending Server Message Block requests (SMB) to the MS-EFSRPC Interface on a remote computer. To gain access to other computers within the same network, an attacker can trigger an NTLM re-attack.

As previously mentioned in a Microsoft support document, NTLM relay attacks are a well-known attack that has been around for a long time. These attacks exploit the security flaws in NTLM to gain authentication. Despite Microsoft urging customers not to use NTLM for authentication due to its flaws and many organizations still relying on it for legacy applications, the company continues to patch any holes as they arise.

This flaw is present in all versions of Windows server, including 2008, 2008R2, 2012, 2012 R2, 2016, 2016 and 2019. Microsoft explained in a support document that PetitPotam can be a problem for your organization if NTLM authentication has been enabled on your domain and Active Directory Certificate Services (AD CS with Certificate Authority Web Enrollment, or Certificate Enrollment Web Services) is used. Microsoft has some suggestions for you if you fall into this category.

It is preferable to disable NTLM authentication for your Windows domain. This can be done by following the steps on this Microsoft network security page.

Microsoft suggests that you disable NTLM from your domain if you are unable to disable it due to compatibility reasons. You can do this through Group Policy. You can also add exceptions. You can also disable NTLM Internet Information Services (IIS), on AD CS Servers within your domain that run Certificate Authority Web Enrollment and Certificate Enrollment Web Services services.

Microsoft stated, “To prevent NTLM Relay Attacks on networks with NTLM disabled, domain administrators need to ensure that services that permit NTLM authentication make use of protections like Extended Protection for Authentication or signing features such SMB signing.” “PetitPotam exploits servers where Active Directory Certificate Services has not been configured with protections against NTLM Relay attacks.”

Also, see

    Leave a Reply