• Skip to primary navigation
  • Skip to main content
  • Skip to primary sidebar
  • Skip to footer

My TechDecisions

  • COVID-19 Update
  • Best of Tech Decisions
  • Topics
    • Video
    • Audio
    • Mobility
    • Unified Communications
    • IT Infrastructure
    • Network Security
    • Physical Security
    • Facility
    • Compliance
  • RFP Resources
  • Resources
  • Podcasts
  • Subscribe
  • Project of the Week
  • About Us
    SEARCH
IT Infrastructure, Network Security, News

Microsoft: How To Prevent NTLM Relay Attack

Microsoft has shared instructions on how to mitigate PetitPotam, an NTLM relay attack used against Windows domain controllers or servers.

July 26, 2021 Zachary Comeau Leave a Comment

Microsoft Entra Verified ID
Dvoevnore /stock.adobe,com

Microsoft has shared instructions on how to mitigate PetitPotam, an NT Lan Manager (NTLM) relay attack used against Windows domain controllers or servers.

The company did not say if the vulnerability is currently being exploited. Microsoft called it a “classic” NTLM relay attack that allows an attacker to take over a domain controller or other Windows servers.

According to BleepingComputer, this new attack method was discovered by a French security researcher and disclosed by Microsoft last week.

In a successful attack, a hacker would use the Microsoft Encrypting File System Remote Protocol to force a device, including domain controllers, to authenticate to a remote NTLM relay. Once authenticated to a malicious NTLM server, a hacker can steal hash and certificates and use them to masquerade as the device with all its privileges, Bleeping Computer reported.

You are vulnerable if…

In its advisory, Microsoft says organizations are vulnerable to this attack if servers with Active Directory Certificate Servers are not configured with protections. Specifically, organizations are vulnerable if NTLM authentication is enabled in their domain and Active Directory Certificate Services are used with Certificate Authority Web Enrollment or Certificate Enrollment Web Service.

You can mitigate this by…

Microsoft says administrators can prevent this attack by disabling NTLM authentication on the Windows domain controller, which the company says is the simplest way to mitigate. Admins can do this by following the documentation in Network security: Restrict NTLM: NTLM authentication in this domain.

If NTLM can’t be disabled due to compatibility reasons, admins are directed to disable NTLM on any AD CS Servers in the domain using the group policy Network security: Restrict NTLM: Incoming NTLM traffic.

According to Microsoft: “To configure this GPO, open Group Policy and go to Computer Configuration -> Windows Settings -> Security Settings -> Local Policies -> Security Options and set “Network security: Restrict NTLM: Incoming NTLM traffic” to “Deny All Accounts” or “Deny All domain accounts”.  If needed you can add exceptions as necessary using the setting “’Network security: Restrict NTLM: Add server exceptions in this domain.”

Admins can also disable NTLM for Internet Information Services on AD CS servers in the domain running Certificate Authority Web Enrollment or Certificate Enrollment Web Service.

Check out Microsoft’s advisory for more information and detailed steps in IIS Manager UI.

Tagged With: Cybersecurity, Microsoft

Related Content:

  • Cloud THreats, Proofpoint Third Parties and Partners are Leading to Increased…
  • Google Curated Detections Chronicle Google Releases Curated Detections in Chronicle
  • Vendors interacting in an office. CompTIA: Technology Vendor Partner Programs Growing
  • Fortinet, ransomware, zero day vulnerabilities, log4shell Ransomware, Zero-Day Vulnerabilities On the Rise

Free downloadable guide you may like:

  • Shadow ITBlueprint Series: How to Reduce Shadow IT

    The distributed work model gives employees the flexibility they demand, but it can lead to shadow IT and introduce unnecessary security risk. Research finds that this distributed work environment is leading to IT management blind spots and shadow IT.

Reader Interactions

Leave a Reply Cancel reply

Your email address will not be published. Required fields are marked *

Get the FREE Tech Decisions eNewsletter

Sign up Today!

Latest Downloads

Shadow IT
Blueprint Series: How to Reduce Shadow IT

The distributed work model gives employees the flexibility they demand, but it can lead to shadow IT and introduce unnecessary security risk. Resea...

Hybrid Work webinar
Featured Webcast: Collaboration 2.0 — Where Are We Now?

In this webinar, subject matter experts discuss the transformation of the workplace, the rise of hybrid workers, the importance of open connectivit...

guide to end user training cover
Pro Tips for Conducting End User Training

Effective trainings are the glue that can make the difference following a new technology implementation that your team has spent so much time, effo...

View All Downloads

Would you like your latest project featured on TechDecisions as Project of the Week?

Apply Today!
Sharp Microsoft Collaboration HQ Logo

Learn More About the
Windows Collaboration Display

More from Our Sister Publications

Get the latest news about AV integrators and Security installers from our sister publications:

Commercial IntegratorSecurity Sales

AV-iQ

Footer

TechDecisions

  • Home
  • Welcome to TechDecisions
  • Subscribe to the Newsletter
  • Contact Us
  • Media Solutions & Advertising
  • Comment Guidelines
  • RSS Feeds
  • Twitter
  • Facebook
  • Linkedin

Free Technology Guides

FREE Downloadable resources from TechDecisions provide timely insight into the issues that IT, A/V, and Security end-users, managers, and decision makers are facing in commercial, corporate, education, institutional, and other vertical markets

View all Guides
TD Project of the Week

Get your latest project featured on TechDecisions Project of the Week. Submit your work once and it will be eligible for all upcoming weeks.

Enter Today!
Emerald Logo
ABOUTCAREERSAUTHORIZED SERVICE PROVIDERSTERMS OF USEPRIVACY POLICY

© 2022 Emerald X, LLC. All rights reserved.