Sunday, September 26, 2021

Microsoft warns attack could compromise Windows domain controllers and servers

Microsoft has acknowledged a newly-discovered version of an attack on a long-vulnerable Windows single sign-on protocol called NTLM — short for New Technology LAN Manager — that is still used in the operating system as a backup to the newer Kerberos authentication protocol.

If successful, the attack, dubbed PetitPotam by the French researcher who discovered it, could allow the takeover of Windows domain controllers or servers.

It’s the latest in what Microsoft calls classic NTLM relay attacks.

To prevent a successful attack on networks with NTLM enabled, Microsoft said, domain administrators must ensure that services that permit NTLM authentication make use of protections such as Extended Protection for Authentication (EPA), or features such as SMB (server message block) signing.

Microsoft said PetitPotam takes advantage of servers where Active Directory Certificate Services (AD CS) is not configured with protections from NTLM relay attacks. The mitigations outlined in its knowledge base document KB5005413 instruct admins on how to protect their AD CS servers from such attacks.

According to a post earlier this year by CrowdStrike, despite known vulnerabilities NTLM remains widely deployed even on new systems to maintain compatibility with legacy clients and servers. It was supplanted by Kerberos as the default authentication protocol in Windows 2000.

In an interview with the Bleeping Computer news site, the French researcher said PetitPotam isn’t a vulnerability, but an abuse of a Windows function.

One researcher who tested the proof-of-concept told Bleeping Computer that it is “quite brutal” and could lead to a full takeover of Active Directory.

Would you recommend this article?

Share

Thanks for taking the time to let us know what you think of this article!
We'd love to hear your opinion about this or any other story you read in our publication. Click this link to send me a note →

Jim Love, Chief Content Officer, IT World Canada
Howard Solomon
Howard Solomon
Currently a freelance writer, I'm the former editor of ITWorldCanada.com and Computing Canada. An IT journalist since 1997, I've written for several of ITWC's sister publications including ITBusiness.ca and Computer Dealer News. Before that I was a staff reporter at the Calgary Herald and the Brampton (Ont.) Daily Times. I can be reached at hsolomon [@] soloreporter.com

Related Tech News