Delivering Expert Cyber Security Solutions to small & medium-sized businesses

We focus on educating, transforming and protecting our clients from cyber threats

Learn About GoldSky

NTLM Relay Attacks on Active Directory Certificate Services

Executive Summary

A French security researcher, Gilles Lionel, discovered PetitPotam: a Windows-based New Technology LAN Manager (NTLM) relay attack method that enables attackers to take over Windows domain controllers when the Active Directory Certificate Service (ADCS) is active. In addition, PetitPotam forces Windows hosts to authenticate to endpoints using MS Encrypting File System Remote Protocol (EFSRPC). As a result, PetitPotam is not a vulnerability; instead, it is an attack method used to abuse legitimate security features on a Windows network.

Therefore, per Microsoft’s directive, the preferred mitigation method is to enable Extended Protection for Authentication and disable NTLM authentication wherever it is unnecessary on the ADCS servers.

Corporate Security Impact

The design of PetitPotam makes it suitable to attack large corporate networks from within. Attackers can use this tool to obtain NTLM password hashes or authentication certificates from domain controllers to take over an internal corporate network. Using Active Directory Certificate Services (ADCS) with Certificate Authority Web Enrollment and Certificate Enrollment Web Service makes a network particularly vulnerable to this type of NTLM relay attack.

What makes the PetitPotam more dangerous is that it does not require any user interaction. Remote attackers can easily make domain controllers perform authentication without requiring any credentials. As a result, this attack is easier and faster to execute and has accentuated the vulnerabilities of the Active Directory privilege model.

There are numerous ways this new NTLM relay attack could affect organizations. Firstly, the requisition of the domain controller suggests that the attacker has complete control over the network. Secondly, threat actors can launch cyberattacks such as ransomware to cripple critical operations. Thirdly, companies can lose sensitive data and the personal information of customers. Finally, customer data breaches can create legal issues for the company, subject to state or federal law.

Recommended Mitigations

In its latest update, Microsoft partially addressed the issue. Also, for potentially affected environments, Microsoft has advised organizations to employ various primary and additional mitigations, such as:

Primary Mitigations:

  • The first thing to do is to enable the EPA and disable the HTTP on ADCS servers.
  • Organizations must allow EPA for Certificate Authority Web Enrollment and Certificate Enrollment Web Service.
  • It is necessary to enable the Require SSL property value, which will allow the HTTPS connections.

Additional Mitigations:

  • Organizations must disable NTLM authentication on their Windows domain controller.
  • Using the group policy network security Restrict NTLM, it is necessary to disable NTLM on any ADCS servers in the domain.
  • For optimal security, disable NTLM for Internet Information Services (IIS) on ADCS Servers in the domain, especially when the “Certificate Enrollment Web Service” or “Certificate Authority Web Enrollment” services run.

After all primary and additional mitigations are complete, it is mandatory to restart IIS to apply the changes after each step. Entering the correct command stops all IIS services that are running and restarts them.