Microsoft has shared instructions on how to mitigate PetitPotam, an NT Lan Manager (NTLM) relay attack used against Windows domain controllers or servers.
The company did not say if the vulnerability is currently being exploited. Microsoft called it a “classic” NTLM relay attack that allows an attacker to take over a domain controller or other Windows servers.
According to BleepingComputer, this new attack method was discovered by a French security researcher and disclosed by Microsoft last week.
In a successful attack, a hacker would use the Microsoft Encrypting File System Remote Protocol to force a device, including domain controllers, to authenticate to a remote NTLM relay. Once authenticated to a malicious NTLM server, a hacker can steal hash and certificates and use them to masquerade as the device with all its privileges, Bleeping Computer reported.
You are vulnerable if…
In its advisory, Microsoft says organizations are vulnerable to this attack if servers with Active Directory Certificate Servers are not configured with protections. Specifically, organizations are vulnerable if NTLM authentication is enabled in their domain and Active Directory Certificate Services are used with Certificate Authority Web Enrollment or Certificate Enrollment Web Service.
You can mitigate this by…
Microsoft says administrators can prevent this attack by disabling NTLM authentication on the Windows domain controller, which the company says is the simplest way to mitigate. Admins can do this by following the documentation in Network security: Restrict NTLM: NTLM authentication in this domain.
If NTLM can’t be disabled due to compatibility reasons, admins are directed to disable NTLM on any AD CS Servers in the domain using the group policy Network security: Restrict NTLM: Incoming NTLM traffic.
According to Microsoft: “To configure this GPO, open Group Policy and go to Computer Configuration -> Windows Settings -> Security Settings -> Local Policies -> Security Options and set “Network security: Restrict NTLM: Incoming NTLM traffic” to “Deny All Accounts” or “Deny All domain accounts”. If needed you can add exceptions as necessary using the setting “’Network security: Restrict NTLM: Add server exceptions in this domain.”
Admins can also disable NTLM for Internet Information Services on AD CS servers in the domain running Certificate Authority Web Enrollment or Certificate Enrollment Web Service.
Check out Microsoft’s advisory for more information and detailed steps in IIS Manager UI.