My TechDecisions

IT Infrastructure, Network Security, News

Microsoft: How To Prevent NTLM Relay Attack

Microsoft has shared instructions on how to mitigate PetitPotam, an NTLM relay attack used against Windows domain controllers or servers.

Leave a Comment

Microsoft Entra Verified ID
Dvoevnore /stock.adobe,com

Microsoft has shared instructions on how to mitigate PetitPotam, an NT Lan Manager (NTLM) relay attack used against Windows domain controllers or servers.

The company did not say if the vulnerability is currently being exploited. Microsoft called it a “classic” NTLM relay attack that allows an attacker to take over a domain controller or other Windows servers.

According to BleepingComputer, this new attack method was discovered by a French security researcher and disclosed by Microsoft last week.

In a successful attack, a hacker would use the Microsoft Encrypting File System Remote Protocol to force a device, including domain controllers, to authenticate to a remote NTLM relay. Once authenticated to a malicious NTLM server, a hacker can steal hash and certificates and use them to masquerade as the device with all its privileges, Bleeping Computer reported.

You are vulnerable if…

In its advisory, Microsoft says organizations are vulnerable to this attack if servers with Active Directory Certificate Servers are not configured with protections. Specifically, organizations are vulnerable if NTLM authentication is enabled in their domain and Active Directory Certificate Services are used with Certificate Authority Web Enrollment or Certificate Enrollment Web Service.

You can mitigate this by…

Microsoft says administrators can prevent this attack by disabling NTLM authentication on the Windows domain controller, which the company says is the simplest way to mitigate. Admins can do this by following the documentation in Network security: Restrict NTLM: NTLM authentication in this domain.

If NTLM can’t be disabled due to compatibility reasons, admins are directed to disable NTLM on any AD CS Servers in the domain using the group policy Network security: Restrict NTLM: Incoming NTLM traffic.

According to Microsoft: “To configure this GPO, open Group Policy and go to Computer Configuration -> Windows Settings -> Security Settings -> Local Policies -> Security Options and set “Network security: Restrict NTLM: Incoming NTLM traffic” to “Deny All Accounts” or “Deny All domain accounts”.  If needed you can add exceptions as necessary using the setting “’Network security: Restrict NTLM: Add server exceptions in this domain.”

Admins can also disable NTLM for Internet Information Services on AD CS servers in the domain running Certificate Authority Web Enrollment or Certificate Enrollment Web Service.

Check out Microsoft’s advisory for more information and detailed steps in IIS Manager UI.

Reader Interactions

Leave a Reply

Your email address will not be published.

Get the FREE Tech Decisions eNewsletter

Sign up Today!

Latest Downloads

Shadow IT
Blueprint Series: How to Reduce Shadow IT

The distributed work model gives employees the flexibility they demand, but it can lead to shadow IT and introduce unnecessary security risk. Resea...

Hybrid Work webinar
Featured Webcast: Collaboration 2.0 — Where Are We Now?

In this webinar, subject matter experts discuss the transformation of the workplace, the rise of hybrid workers, the importance of open connectivit...

guide to end user training cover
Pro Tips for Conducting End User Training

Effective trainings are the glue that can make the difference following a new technology implementation that your team has spent so much time, effo...

View All Downloads

Would you like your latest project featured on TechDecisions as Project of the Week?

Apply Today!
Sharp Microsoft Collaboration HQ Logo

Learn More About the
Windows Collaboration Display

More from Our Sister Publications

Get the latest news about AV integrators and Security installers from our sister publications:

Commercial IntegratorSecurity Sales

AV-iQ