Security News > 2021 > July > Microsoft warns of credential-stealing NTLM relay attacks against Windows domain controllers

To ward off the attack known as PetitPotam, Microsoft advises you to disable NTLM authentication on your Windows domain controller.

Microsoft is sounding an alert about a threat against Windows domain controllers that would allow attackers to capture NTLM credentials and certificates.

Dubbed a classic NTLM relay attack by Microsoft, the process works by abusing a Windows protocol known as MS-EFSRPC, which lets computers work with encrypted data on remote systems, The Record said.

As previously described in a Microsoft support document from 2009, NTLM relay attacks have been around for a number of years.

In a support document, Microsoft explained that your organization is potentially vulnerable to PetitPotam if NTLM authentication is enabled on your domain and you use Active Directory Certificate Services with Certificate Authority Web Enrollment or Certificate Enrollment Web Service.

"To prevent NTLM Relay Attacks on networks with NTLM enabled, domain administrators must ensure that services that permit NTLM authentication make use of protections such as Extended Protection for Authentication or signing features such as SMB signing," Microsoft said.

News URL

https://www.techrepublic.com/article/microsoft-warns-of-credential-stealing-ntlm-relay-attacks-against-windows-domain-controllers/#ftag=RSS56d97e7