My TechDecisions

IT Infrastructure, Network Security, News

Microsoft: How To Prevent NTLM Relay Attack

Microsoft has shared instructions on how to mitigate PetitPotam, an NTLM relay attack used against Windows domain controllers or servers.

Leave a Comment

Microsoft Security RSA Conference
Dvoevnore /stock.adobe,com

Microsoft has shared instructions on how to mitigate PetitPotam, an NT Lan Manager (NTLM) relay attack used against Windows domain controllers or servers.

The company did not say if the vulnerability is currently being exploited. Microsoft called it a “classic” NTLM relay attack that allows an attacker to take over a domain controller or other Windows servers.

According to BleepingComputer, this new attack method was discovered by a French security researcher and disclosed by Microsoft last week.

In a successful attack, a hacker would use the Microsoft Encrypting File System Remote Protocol to force a device, including domain controllers, to authenticate to a remote NTLM relay. Once authenticated to a malicious NTLM server, a hacker can steal hash and certificates and use them to masquerade as the device with all its privileges, Bleeping Computer reported.

You are vulnerable if…

In its advisory, Microsoft says organizations are vulnerable to this attack if servers with Active Directory Certificate Servers are not configured with protections. Specifically, organizations are vulnerable if NTLM authentication is enabled in their domain and Active Directory Certificate Services are used with Certificate Authority Web Enrollment or Certificate Enrollment Web Service.

You can mitigate this by…

Microsoft says administrators can prevent this attack by disabling NTLM authentication on the Windows domain controller, which the company says is the simplest way to mitigate. Admins can do this by following the documentation in Network security: Restrict NTLM: NTLM authentication in this domain.

If NTLM can’t be disabled due to compatibility reasons, admins are directed to disable NTLM on any AD CS Servers in the domain using the group policy Network security: Restrict NTLM: Incoming NTLM traffic.

According to Microsoft: “To configure this GPO, open Group Policy and go to Computer Configuration -> Windows Settings -> Security Settings -> Local Policies -> Security Options and set “Network security: Restrict NTLM: Incoming NTLM traffic” to “Deny All Accounts” or “Deny All domain accounts”.  If needed you can add exceptions as necessary using the setting “’Network security: Restrict NTLM: Add server exceptions in this domain.”

Admins can also disable NTLM for Internet Information Services on AD CS servers in the domain running Certificate Authority Web Enrollment or Certificate Enrollment Web Service.

Check out Microsoft’s advisory for more information and detailed steps in IIS Manager UI.

If you enjoyed this article and want to receive more valuable industry content like this, click here to sign up for our digital newsletters!

Reader Interactions

Leave a Reply

Your email address will not be published. Required fields are marked *

Latest Downloads

Practical Design Guide for Office Spaces
Practical Design Guide for Office Spaces

Recent Gartner research shows that workers prefer to return to the office for in-person meetings for relevant milestones, as well as for face-to-fa...

New Camera Can Transform Your Live Production Workflow
New Camera System Can Transform Your Live Production Workflow

Sony's HXC-FZ90 studio camera system combines flexibility and exceptional image quality with entry-level pricing.

Creating Great User Experience and Ultimate Flexibility with Clickshare

Working and collaborating in any office environment today should be meaningful, as workers today go to office for very specific reasons. When desig...

View All Downloads

Would you like your latest project featured on TechDecisions as Project of the Week?

Apply Today!

More from Our Sister Publications

Get the latest news about AV integrators and Security installers from our sister publications:

Commercial IntegratorSecurity Sales

AV-iQ