Microsoft describes how to mitigate PetitPotam NTLM Relay Attacks involving Active Directory services.
Microsoft has quickly hopped on issuing a set of mitigations to neutralize a newly discovered Windows NT LAN Manager (NTLM) exploit that enables attackers to hijack Windows domain controllers and effectively take over an entire domain.
The PetitPotam attack vector is an NTLM Relay Attack that could force remote Windows systems to yield their password hashes. Microsoft said it has previously documented such attacks along with mitigation options to protect customers.
Security researcher Gilles Lionel first identified the bug and posted proof-of-concept exploit code to demonstrate the attack, reports said. Microsoft subsequently issued a security advisory that included workaround mitigations.
PetitPotam is primarily aimed at corporate networks, The Record, which first reported on the exploit, said in a blog post. “PetitPotam cannot be exploited remotely over the internet and is an attack designed to be used inside large corporate networks, where attackers could use it to force domain controllers to cough up their NTLM password hashes or authentication certificates, which could lead to the complete takeover of a company’s internal network,” the blog said.
PetitPotam takes advantage of servers where Active Directory Certificate Services (AD CS) is not configured with protections for NTLM Relay Attacks, Microsoft said. Administrators are potentially vulnerable to this attack by using AD CS with Certificate Authority Web Enrollment and Certificate Enrollment Web Service.
To prevent NTLM Relay Attacks on networks with NTLM enabled, domain administrators must ensure that services that permit NTLM authentication make use of protections such as Extended Protection for Authentication (EPA) or signing features such as server message block (SMB) signing, Microsoft said in the advisory.
If potentially affected by PetitPotam, Microsoft recommends the following primary mitigations:
- Enable EPA and disable HTTP on AD CS servers. Open the Internet Information Services (IIS) Manager and enable EPA for Certificate Authority Web Enrollment, Required being the more secure and recommended option.
- Enable EPA for Certificate Enrollment Web Service, Required being the more secure and recommended option. After enabling EPA in the UI, the Web.config file created by CES role at <%windir%>systemdataCES<CA Name>_CES_Kerberosweb.config should also be updated by adding <extendedProtectionPolicy> set with a value of either WhenSupported or Always depending on the Extended Protection option selected in the IIS UI above.
- Enable Require SSL, which will enable only HTTPS connections.
- Disable NTLM Authentication on your Windows domain controller by following the documentation in Network security: Restrict NTLM: NTLM authentication in this domain.
- Disable NTLM on any AD CS Servers in your domain using the group policy Network security: Restrict NTLM: Incoming NTLM traffic. To configure this GPO, open Group Policy and go to Computer Configuration -> Windows Settings -> Security Settings -> Local Policies -> Security Options and set Network security: Restrict NTLM: Incoming NTLM traffic to Deny All Accounts or Deny All domain accounts. If needed, you can add exceptions as necessary using the setting Network security: Restrict NTLM: Add server exceptions in this domain.
- Disable NTLM for Internet Information Services (IIS) on AD CS Servers in your domain running the Certificate Authority Web Enrollment or Certificate Enrollment Web Service services.
- After completing these steps, you will need to restart IIS to load the changes. To restart IIS, open an elevated Command Prompt window, type the following command, and then press ENTER: iisreset /restart. This command stops all IIS services that are running and then restarts them.