Microsoft has issued guidance on mitigating PetitPotam NTLM relay attacks against Windows domain controllers or other Windows servers.
According to Microsoft, organizations are vulnerable to NTLM relay attacks if NTLM authentication is enabled in your domain and you use Active Directory Certificate Services (AD CS) with Certificate Authority Web Enrollment or Certificate Enrollment Web Service.
“PetitPotam is a classic NTLM Relay Attack, and such attacks have been previously documented by Microsoft along with numerous mitigation options to protect customers,” Microsoft stated in the post.
If your organization requires services to permit NTLM authentication, Microsoft recommends domain administrators leverage Extended Protection for Authentication (EPA) or signing features such as SMB signing.
However, Microsoft’s preferred and simplest mitigation is to disable NTLM authentication on Windows domain controllers if your organization supports it.
If you require NTLM for compatibility reasons, other mitigations include:
- Disable NTLM on any AD CS Servers in your domain using the group policy.
- Disable NTLM for Internet Information Services (IIS) on AD CS Servers in your domain by running the “Certificate Authority Web Enrollment” or “Certificate Enrollment Web Service” services.
Finally, Microsoft provided an additional security advisory (ADV210003) on January 23 and wrote there were no public exploits at that time.
- Microsoft issues workaround for zero-day ‘SeriousSAM’ vulnerability
- Microsoft July 2021 Security Updates includes fixes for 13 Critical RCEs, 3 zero-day vulnerabilities
- Zloader trojan bypasses Microsoft Office malware-protection defenses
- Microsoft patches PrintNightmare vulnerability
- Microsoft uncovers NOBELIUM ‘sophisticated email-based attack’