/>
X

Microsoft: Here's how to shield your Windows servers against this credential stealing attack

Microsoft outlines how to mitigate the NTLM Relay Attack known as PetitPotam.
liam-tung.jpg
Written by Liam Tung, Contributor on

Microsoft has posted advisory and detailed instructions on protecting Windows domain controllers and other Windows servers from the NTLM Relay Attack known as PetitPotam.

The PetitPotam take on the NTLM Relay attack was discovered last week by French security researcher Gilles Lionel, as first reported by The Record. The tool Lionel posted can "coerce Windows hosts to authenticate to other machines via MS-EFSRPC EfsRpcOpenFileRaw function," he explains. 

In other words, the attack can make a remote Windows server authenticate with an attacker and share Microsoft NTLM authentication credentials and certificates. 

Microsoft notes that PetitPotam "is a classic NTLM Relay Attack" that it describes in a 2009 security advisory, which it says "can potentially be used in an attack on Windows domain controllers or other Windows servers."

It says customers may be vulnerable to PetitPotam if NTLM authentication is enabled on a domain and Active Directory Certificate Services (AD CS) is in use with Certificate Authority Web Enrollment or Certificate Enrollment Web Service. 

To prevent NTLM Relay Attacks that meet these conditions, Microsoft advises domain admins to ensure that services that permit NTLM authentication must "make use of protections such as Extended Protection for Authentication (EPA) or signing features. Such as SMB signing."

"PetitPotam takes advantage of servers where Active Directory Certificate Services (AD CS) is not configured with protections for NTLM Relay Attacks," Microsoft notes in ADV210003.  

Microsoft has provided more detailed mitigation instructions in a separate KB article, KB5005413. Microsoft's "preferred mitigation" is disabling NTLM authentication on a Windows domain controller. 

But it also has detailed and graphical instructions for alternative mitigations if it's not possible to disable NTLM authentication on a domain. "They are listed in order of more secure to less secure," it notes.

Related

Microsoft says Windows 11 has hit this major milestone
Black man and Black woman tech workers looking at a computer togher

Microsoft says Windows 11 has hit this major milestone

Windows 11
Microsoft: This botnet is growing fast and hunting for servers with weak passwords
Worried businessman looking at computer screen at his workplace in office

Microsoft: This botnet is growing fast and hunting for servers with weak passwords

Security
This phishing attack delivers three forms of malware. And they all want to steal your data
Man looking at laptop screen at home

This phishing attack delivers three forms of malware. And they all want to steal your data

Security