Microsoft warns of credential-stealing NTLM relay attacks against Windows domain controllers

2 years ago 276

To ward disconnected the onslaught known arsenic PetitPotam, Microsoft advises you to disable NTLM authentication connected your Windows domain controller.

Microsoft is sounding an alert astir a menace against Windows domain controllers that would let attackers to seizure NTLM (NT LAN Manager) credentials and certificates. In an advisory released past Friday, the institution warned of an onslaught dubbed PetitPotam, which could beryllium utilized against Windows domains controllers and different Windows servers.

SEE: Checklist: Securing Windows 10 systems (TechRepublic Premium)

Discovered and tested by a French researcher named Gilles Lionel (known connected Twitter arsenic @topotam), according to tech quality tract The Record, PetitPotam exploits a information spread successful Windows done which an attacker tin unit a Windows server to stock NTLM authentication details and certificates.

Dubbed a classical NTLM relay onslaught by Microsoft, the process works by abusing a Windows protocol known arsenic MS-EFSRPC, which lets computers enactment with encrypted information connected distant systems, The Record said.

By sending Server Message Block (SMB) requests to the MS-EFSRPC interface connected a distant system, an attacker tin instrumentality the targeted server into sharing credential authentication details. From there, the attacker tin trigger an NTLM relay onslaught to summation entree to different computers connected the aforesaid network.

As antecedently described successful a Microsoft enactment papers from 2009, NTLM relay attacks person been astir for a fig of years. Such attacks instrumentality vantage of the information vulnerabilities successful NTLM arsenic a method for authentication. Though Microsoft has been urging customers to jettison NTLM due to the fact that of its flaws, galore organizations inactive trust connected it, if lone for bequest applications, prompting the institution to proceed to spot each spread arsenic it pops up.

Most versions of Windows server are affected by this flaw, including 2005, 2008, 2008 R2, 2012, 2012 R2, 2016 and 2019. In a support document, Microsoft explained that your enactment is perchance susceptible to PetitPotam if NTLM authentication is enabled connected your domain and you usage Active Directory Certificate Services (AD CS) with Certificate Authority Web Enrollment oregon Certificate Enrollment Web Service. If you acceptable that category, Microsoft offers a fewer recommendations.

The preferred solution is to disable NTLM authentication connected your Windows domain, a process you tin instrumentality by pursuing the steps described connected this Microsoft web information page.

If you can't disable NTLM connected your domain owed to compatibility reasons, Microsoft suggests disabling it connected immoderate AD CS Servers successful your domain, which you tin do done Group Policy. If necessary, you tin add exceptions to this policy. Alternatively, disable NTLM for Internet Information Services (IIS) connected AD CS Servers successful your domain that tally Certificate Authority Web Enrollment oregon Certificate Enrollment Web Service services.

"To forestall NTLM Relay Attacks connected networks with NTLM enabled, domain administrators indispensable guarantee that services that licence NTLM authentication marque usage of protections specified arsenic Extended Protection for Authentication (EPA) oregon signing features specified arsenic SMB signing," Microsoft said. "PetitPotam takes vantage of servers wherever Active Directory Certificate Services is not configured with protections for NTLM Relay Attacks."