Microsoft: Here's how to shield your Windows servers against this credential stealing attack

Microsoft outlines how to mitigate the NTLM Relay Attack known as PetitPotam.
Written by Liam Tung, Contributing Writer

Microsoft has posted advisory and detailed instructions on protecting Windows domain controllers and other Windows servers from the NTLM Relay Attack known as PetitPotam.

The PetitPotam take on the NTLM Relay attack was discovered last week by French security researcher Gilles Lionel, as first reported by The Record. The tool Lionel posted can "coerce Windows hosts to authenticate to other machines via MS-EFSRPC EfsRpcOpenFileRaw function," he explains. 

In other words, the attack can make a remote Windows server authenticate with an attacker and share Microsoft NTLM authentication credentials and certificates. 

Microsoft notes that PetitPotam "is a classic NTLM Relay Attack" that it describes in a 2009 security advisory, which it says "can potentially be used in an attack on Windows domain controllers or other Windows servers."

It says customers may be vulnerable to PetitPotam if NTLM authentication is enabled on a domain and Active Directory Certificate Services (AD CS) is in use with Certificate Authority Web Enrollment or Certificate Enrollment Web Service. 

To prevent NTLM Relay Attacks that meet these conditions, Microsoft advises domain admins to ensure that services that permit NTLM authentication must "make use of protections such as Extended Protection for Authentication (EPA) or signing features. Such as SMB signing."

"PetitPotam takes advantage of servers where Active Directory Certificate Services (AD CS) is not configured with protections for NTLM Relay Attacks," Microsoft notes in ADV210003.  

Microsoft has provided more detailed mitigation instructions in a separate KB article, KB5005413. Microsoft's "preferred mitigation" is disabling NTLM authentication on a Windows domain controller. 

But it also has detailed and graphical instructions for alternative mitigations if it's not possible to disable NTLM authentication on a domain. "They are listed in order of more secure to less secure," it notes.

Editorial standards