Thursday, October 14, 2021

Mitigating NTLM Relay Attacks on Active Directory Certificate Services (AD CS)

 Executive Summary 

Summary


Microsoft is aware of PetitPotam which can potentially be used in an attack on Windows domain controllers or other Windows servers. PetitPotam is a classic NTLM Relay Attack, and such attacks have been previously documented by Microsoft along with numerous mitigation options to protect customers. For example, see Microsoft Security Advisory 974926.


To prevent NTLM Relay Attacks on networks with NTLM enabled, domain administrators must ensure that services that permit NTLM authentication make use of protections such as Extended Protection for Authentication (EPA) or signing features such as SMB signing. PetitPotam takes advantage of servers where Active Directory Certificate Services (AD CS) is not configured with protections for NTLM Relay Attacks. The mitigations outlined in KB5005413* instruct customers on how to protect their AD CS servers from such attacks.


You are potentially vulnerable to this attack if you are using Active Directory Certificate Services (AD CS) with any of the following services:



  • Certificate Authority Web Enrollment

  • Certificate Enrollment Web Service


* Update - July 28, 2021 KB5005413 has been updated to make clearer the steps to take for protecting your systems.


 Update & Detail Mitigating NTLM Relay Attacks on Active Directory Certificate Services (AD CS) 
 

Copyright © 2021 Vulnerability Database | Cyber Details™

thank you Templateism for the design - You should have written the code a little more complicated - Nothing Encrypted anymore