Microsoft warns attack could compromise Windows domain controllers and servers

Microsoft has acknowledged a newly-discovered version of an attack on a long-vulnerable Windows single sign-on protocol called NTLM — short for New Technology LAN Manager — that is still used in the operating system as a backup to the newer Kerberos authentication protocol.

If successful, the attack, dubbed PetitPotam by the French researcher who discovered it, could allow the takeover of Windows domain controllers or servers.

It’s the latest in what Microsoft calls classic NTLM relay attacks.

To prevent a successful attack on networks with NTLM enabled, Microsoft said, domain administrators must ensure that services that permit NTLM authentication make use of protections such as Extended Protection for Authentication (EPA), or features such as SMB (server message block) signing.

Microsoft said PetitPotam takes advantage of servers where Active Directory Certificate Services (AD CS) is not configured with protections from NTLM relay attacks. The mitigations outlined in its knowledge base document KB5005413 instruct admins on how to protect their AD CS servers from such attacks.

According to a post earlier this year by CrowdStrike, despite known vulnerabilities NTLM remains widely deployed even on new systems to maintain compatibility with legacy clients and servers. It was supplanted by Kerberos as the default authentication protocol in Windows 2000.

In an interview with the Bleeping Computer news site, the French researcher said PetitPotam isn’t a vulnerability, but an abuse of a Windows function.

One researcher who tested the proof-of-concept told Bleeping Computer that it is “quite brutal” and could lead to a full takeover of Active Directory.

Would you recommend this article?


Thanks for taking the time to let us know what you think of this article!
We'd love to hear your opinion about this or any other story you read in our publication.

Jim Love, Chief Content Officer, IT World Canada

Featured Download

Howard Solomon
Howard Solomon
Currently a freelance writer, I'm the former editor of and Computing Canada. An IT journalist since 1997, I've written for several of ITWC's sister publications including and Computer Dealer News. Before that I was a staff reporter at the Calgary Herald and the Brampton (Ont.) Daily Times. I can be reached at hsolomon [@]

Featured Articles

Empowering the hybrid workforce: how technology can build a better employee experience

Across the country, employees from organizations of all sizes expect flexibility...

What’s behind the best customer experience: How to make it real for your business

The best customer experience – the kind that builds businesses and...

Overcoming the obstacles to optimized operations

Network-driven optimization is a top priority for many Canadian business leaders...

Thriving amid Canada’s tech talent shortage

With today’s tight labour market, rising customer demands, fast-evolving cyber threats...

Staying protected and compliant in an evolving IT landscape

Canadian businesses have changed remarkably and quickly over the last few...

Related Tech News

Tech Jobs

Our experienced team of journalists and bloggers bring you engaging in-depth interviews, videos and content targeted to IT professionals and line-of-business executives.

Tech Companies Hiring Right Now