Microsoft warns of credential-stealing NTLM relay attacks against Windows domain controllers

To thrust back the assault often called PetitPotam, Microsoft advises you to disable NTLM authentication in your Home windows area controller.


Picture: iStockphoto/ipopba

Microsoft is sounding an alert a few menace towards Home windows area controllers that may enable attackers to seize NTLM (NT LAN Supervisor) credentials and certificates. In an advisory launched final Friday, the corporate warned of an assault dubbed PetitPotam, which might be used towards Home windows domains controllers and different Home windows servers.

SEE: Guidelines: Securing Home windows 10 methods (TechRepublic Premium)

Found and examined by a French researcher named Gilles Lionel (recognized on Twitter as @topotam), based on tech information web site The Document, PetitPotam exploits a safety gap in Home windows via which an attacker can pressure a Home windows server to share NTLM authentication particulars and certificates.

Dubbed a traditional NTLM relay assault by Microsoft, the method works by abusing a Home windows protocol often called MS-EFSRPC, which lets computer systems work with encrypted knowledge on distant methods, The Document stated.

By sending Server Message Block (SMB) requests to the MS-EFSRPC interface on a distant system, an attacker can trick the focused server into sharing credential authentication particulars. From there, the attacker can set off an NTLM relay assault to achieve entry to different computer systems on the identical community.

As beforehand described in a Microsoft assist doc from 2009, NTLM relay assaults have been round for plenty of years. Such assaults reap the benefits of the safety vulnerabilities in NTLM as a technique for authentication. Although Microsoft has been urging prospects to jettison NTLM due to its flaws, many organizations nonetheless depend on it, if just for legacy functions, prompting the corporate to proceed to patch every gap because it pops up.

Most variations of Home windows server are affected by this flaw, together with 2005, 2008, 2008 R2, 2012, 2012 R2, 2016 and 2019. In a assist doc, Microsoft defined that your group is probably susceptible to PetitPotam if NTLM authentication is enabled in your area and you employ Lively Listing Certificates Providers (AD CS) with Certificates Authority Net Enrollment or Certificates Enrollment Net Service. Should you match that class, Microsoft gives a number of suggestions.

The popular answer is to disable NTLM authentication in your Home windows area, a course of you may implement by following the steps described on this Microsoft community safety web page.

If you cannot disable NTLM in your area on account of compatibility causes, Microsoft suggests disabling it on any AD CS Servers in your area, which you are able to do via Group Coverage. If needed, you may add exceptions to this coverage. Alternatively, disable NTLM for Web Info Providers (IIS) on AD CS Servers in your area that run Certificates Authority Net Enrollment or Certificates Enrollment Net Service providers.

“To forestall NTLM Relay Assaults on networks with NTLM enabled, area directors should make sure that providers that let NTLM authentication make use of protections comparable to Prolonged Safety for Authentication (EPA) or signing options comparable to SMB signing,” Microsoft stated. “PetitPotam takes benefit of servers the place Lively Listing Certificates Providers is just not configured with protections for NTLM Relay Assaults.”

Additionally see

Recent Articles


Related Stories

Leave A Reply

Please enter your comment!
Please enter your name here

Stay on op - Ge the daily news in your inbox