In June 2019, Microsoft released patches for two critical vulnerabilities that were discovered in its NT LAN Manager (NTLM) protocol suite affecting all versions. These vulnerabilities let attackers execute malicious code on any Windows machine remotely, or even authenticate to an HTTP or Exchange server.
In a previous blog, we saw how some of the authentication protocols in Active Directory (AD) work and the cybersecurity risks associated with NTLM. NTLM is susceptible to relay attacks where an attacker compromises one machine and moves laterally to other machines by using NTLM authentication directed at the compromised server. A successful attack lets the attacker essentially “steal” the login of a legitimate user to authenticate their own session, thereby gaining access to critical data and valuable resources in AD.
The latest vulnerabilities are a result of three flaws associated with NTLM that let the attacker bypass existing protection mechanisms. The first flaw resides in the SMB session signing that enables attackers to relay NTLM authentication requests to any server in the domain, including domain controllers, while establishing a signed session to perform remote code execution. If the relay request is performed with a privileged account, it could compromise the entire domain.
The second flaw lets attackers remove the Message Integrity Code (MIC) protection and modify various fields in the NTLM authentication flow, including signing negotiation. The third flaw allows attackers to connect to various web servers using the attacked users’ privileges and perform operations, such as reading users’ emails or connecting to cloud resources by relaying requests to OWA servers and ADFS servers, respectively.
NTLM’s two latest vulnerabilities allow attackers to capture a legitimate user’s authentication attempt and relay it to another server, granting them the ability to perform operations on a remote server using that user’s privileges.
Microsoft’s existing mitigations do not help protect against an NTLM relay attack. This is significant, especially at a time when NTLM relay is becoming one among the most popular attack methods for cybercriminals looking to exploit AD infrastructure. To deal with the problem, Microsoft released fixes along with the following guidelines:
- Ensure that workstations and servers are properly patched.
Configure the following settings:
Enforce SMB signing: To prevent attackers from launching simpler NTLM relay attacks, turn on SMB signing on all machines in the network.
Block NTLMv1: Since NTLMv1 is considered significantly less secure, it’s recommended to completely block it by configuring the appropriate GPO.
Enforce LDAP/LDAPS signing: To prevent NTLM relay in LDAP, enforce LDAP signing and LDAPS channel binding on domain controllers.
Enforce Enhanced Protection for Authentication (EPA): To prevent NTLM relay on web servers, harden all web servers (e.g., OWA or ADFS) to accept requests with EPA only.
- Reduce NTLM usage, and remove NTLM where it’s not required.
One way you can get around these concerns is by employing user behavior analytics (UBA), which can be leveraged to indicate when vulnerabilities are actively being exploited. By detecting and analyzing new or unusual processes on member servers and first time remote access on hosts, UBA helps assess risks in your environment.