On 23 July 2021, Microsoft issued a security advisory on Mitigating NTLM Relay Attacks on Active Directory Certificate Services (AD CS). The advisory provides mitigations steps for a security issue that could be used to access domain services such as Windows domain controllers or other Windows servers.
- Last week, researchers published a proof-of-concept (PoC) for a new Windows NT LAN Manager (NTLM) relay attack, dubbed PetitPotam. Threat actors could use this code to force a remote Windows server, including Domain Controllers, to authenticate with a malicious destination and share Microsoft NTLM authentication details and certificates. An attacker would need to be on your network or be connected to your domain without a VPN.
- PetitPotam abuses the EfsRpcOpenFileRaw function of the Microsoft’s Encrypting File System Remote (MS-EFSRPC) protocol API. MS-EFSRPC allows Windows machines to perform operations on encrypted data stored on remote systems.
- Microsoft stated that systems potentially vulnerable to this attack have NTLM authentication enabled in their domain and are using Active Directory Certificate Services (AD CS) with Certificate Authority Web Enrollment or Certificate Enrollment Web Service. The AD CS is a public key infrastructure (PKI) server commonly used to authenticate users, services, and machines on a Windows domain.
- Microsoft recommends disabling NTLM authentication on a Windows domain controller. When NTLM cannot be turned off for compatibility reasons, Microsoft provided alternative mitigation steps available in their KB5005413 article.
- If you have NTLM enabled, review and apply the mitigation steps in the Microsoft KB5005413 article listed below.
- Exercise caution before disabling NTLM as some legacy applications still rely on NTML authentication to function properly.
- We recommend a detailed audit of NTLM requests in your environment using a GPO setting in the Active Directory located in Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options.
- When possible, we recommend migrating from using NTLM to Kerberos which relies on encryption rather than password hashing. For some legacy applications that require NTLM, we recommend using a more recent version, NTLMNv2 and allowing an exception for just those applications to minimize the risk.
- Enforce SMB Session Signing, LDAP signing and LDAPS channel binding on domain controllers to prevent NTLM relay attacks.
- Please note that disabling the Encrypting File System (EFS) service does not mitigate the risk.