Due to the recent vulnerability discovered in Zoom as reviewed by security experts on the 1st of April 2020. It allows attackers to steal Windows credentials via UNC Links. In 2019, the security provider “Preempt” discovered a vulnerability in NTLM which allows remote execution of malicious code on any Windows machine to authenticate to any web server that supports Windows Integrated Authentication. This article discussed the steps on how to prevent NTLM credentials from being sent to remote servers. Please see Bidding Farewell to NTLM in favour of Kerberos, and How to disable automatic Windows updates.
Also in 2018 according to the Checkpoint research team, “NTLM hash leaks can also be achieved via PDF files with no user interaction or exploitation”. By using this feature, attackers can inject malicious content into the PDF, and if the PDF file is opened then the target automatically starts leaking data in the form of NTLM hashes.
To mitigate this issue, a GPO can be configured to prevent NTML credentials from automatically being sent to a remote server when clicking on a UNC link. Alternatively, you can restrict NTLM Authentication in your Domain.
What is Microsoft’s NTLM (NT LAN Manager)?
This is an older and outdated security protocol that authenticates user credentials in a Windows domain. Microsoft has since replaced NTLM with Kerberos as the default authentication method for Active Directory, the company still supports the older protocol, while recommending that customers adopt Kerberos instead.
Note: In most organizations, NTLM is no longer being used as security holes plague it.
Various patches are being developed by Microsoft to prevent NTLM relay attacks, but they can also be bypassed.
To prevent Windows from automatically sending your credentials to a remote server (when accessing a share), here are the steps below if you must use NTLM.
Launch the Local Group Policy or Group Policy Management (Domain)
Navigate to the Computer Configuration, and then click on Windows Settings
– Security Settings
– Local Policies
– Security Options
– Network security: Restrict NTLM: Outgoing NTLM traffic to remote servers
Double Click on the Policy, and select “Deny all“.
This means this device cannot authenticate any identities to a remote server by using NTLM authentication. You can use the Network security: Restrict NTLM: Add remote server exceptions for NTLM authentication policy setting to define a list of remote servers to which client devices are allowed to use NTLM authentication while denying others. This setting will also log an event on the device that is making the authentication request.
Update the Group Policy
When the above steps are done. Update the group policy object for it to take effect immediately in order to avoid the default time of 90 minutes. See this link for more information, see the following article “all about GPO switches gpupdate and gpupdate-force“.
To prevent NTLM credentials from being sent to remote servers in your domain environment. Use the same steps as discussed in the Group Policy Management.
I hope you found this blog post helpful. Please let me know in the comment session if you have any questions.
