My TechDecisions

IT Infrastructure, Network Security, News

Microsoft: How To Prevent NTLM Relay Attack

Microsoft has shared instructions on how to mitigate PetitPotam, an NTLM relay attack used against Windows domain controllers or servers.

Leave a Comment

Microsoft OMI Azure
Dvoevnore /stock.adobe,com

Microsoft has shared instructions on how to mitigate PetitPotam, an NT Lan Manager (NTLM) relay attack used against Windows domain controllers or servers.

The company did not say if the vulnerability is currently being exploited. Microsoft called it a “classic” NTLM relay attack that allows an attacker to take over a domain controller or other Windows servers.

According to BleepingComputer, this new attack method was discovered by a French security researcher and disclosed by Microsoft last week.

In a successful attack, a hacker would use the Microsoft Encrypting File System Remote Protocol to force a device, including domain controllers, to authenticate to a remote NTLM relay. Once authenticated to a malicious NTLM server, a hacker can steal hash and certificates and use them to masquerade as the device with all its privileges, Bleeping Computer reported.

You are vulnerable if…

In its advisory, Microsoft says organizations are vulnerable to this attack if servers with Active Directory Certificate Servers are not configured with protections. Specifically, organizations are vulnerable if NTLM authentication is enabled in their domain and Active Directory Certificate Services are used with Certificate Authority Web Enrollment or Certificate Enrollment Web Service.

You can mitigate this by…

Microsoft says administrators can prevent this attack by disabling NTLM authentication on the Windows domain controller, which the company says is the simplest way to mitigate. Admins can do this by following the documentation in Network security: Restrict NTLM: NTLM authentication in this domain.

If NTLM can’t be disabled due to compatibility reasons, admins are directed to disable NTLM on any AD CS Servers in the domain using the group policy Network security: Restrict NTLM: Incoming NTLM traffic.

According to Microsoft: “To configure this GPO, open Group Policy and go to Computer Configuration -> Windows Settings -> Security Settings -> Local Policies -> Security Options and set “Network security: Restrict NTLM: Incoming NTLM traffic” to “Deny All Accounts” or “Deny All domain accounts”.  If needed you can add exceptions as necessary using the setting “’Network security: Restrict NTLM: Add server exceptions in this domain.”

Admins can also disable NTLM for Internet Information Services on AD CS servers in the domain running Certificate Authority Web Enrollment or Certificate Enrollment Web Service.

Check out Microsoft’s advisory for more information and detailed steps in IIS Manager UI.

Reader Interactions

Leave a Reply

Your email address will not be published. Required fields are marked *

Get the FREE Tech Decisions eNewsletter

Sign up Today!

Latest Downloads

2021 Gartner® Magic Quadrant™ for ITSM Tools

Gartner® has once again recognized Freshworks’ IT service management platform, Freshservice, in the 2021 Gartner® Magic Quadrant™ for IT Serv...

Choosing the Right Video Wall for Your Workplace

It’s becoming ever more clear that path forward for the modern workplace is a hybrid model. Employees will likely be splitting their time between a...

Making AI Work For IT Service Management

AI or Artificial Intelligence has been said to drastically change the way we do things, everything from cars and robots to marketing and digital ex...

View All Downloads

Would you like your latest project featured on TechDecisions as Project of the Week?

Apply Today!
Sharp Microsoft Collaboration HQ Logo

Learn More About the
Windows Collaboration Display

More from Our Sister Publications

Get the latest news about AV integrators and Security installers from our sister publications:

Commercial IntegratorSecurity Sales