Due to the recent vulnerability discovered in Zoom as reviewed by security experts as of today, the 1st of April 2020, which allows attackers to steal Windows credentials via UNC Links. In 2019, the security provider “Preempt” discovered a vulnerability in NTLM which allows remote execution of malicious code on any Windows machine to authenticate to any web server that supports Windows Integrated Authentication. Also in 2018, according to the Checkpoint research team, “NTLM hash leaks can also be achieved via PDF files with no user interaction or exploitation”. By using this feature, attackers can inject malicious content into the PDF, and if the PDF file is opened then the target automatically starts leaking data in the form of NTLM hashes.
To mitigate this issue, a GPO can be configured to prevent NTML credentials from automatically being sent to a remote server when clicking on a UNC link. Alternatively, you can restrict NTLM Authentication in your Domain.
What is Microsoft’s NTLM (NT LAN Manager)? This is an older and outdated security protocol that authenticates user credentials in a Windows domain. Microsoft has since replaced NTLM with Kerberos as the default authentication method for Active Directory, the company still supports the older protocol, while recommending that customers adopt Kerberos instead.
Note: In most organizations, NTLM is no longer being used as it is plagued by security holes.
– There are various patches being developed by Microsoft to prevent NTLM relay attacks but can be bypassed as well.
To prevent windows from automatically sending your credentials to a remote server (when accessing a share), here are the steps below if you must use NTLM. For all articles relating to GPO I have written, see the following link.
– Launch the Local Group Policy or Group Policy Management (Domain)
– Navigate to the Computer Configuration
– Windows Settings
– Security Settings
– Local Policies
– Security Options
– Network security: Restrict NTLM: Outgoing NTLM traffic to remote servers
Double Click on the Policy
– Select “Deny all”
This means, this device cannot authenticate any identities to a remote server by using NTLM authentication. You can use the Network security: Restrict NTLM: Add remote server exceptions for NTLM authentication policy setting to define a list of remote servers to which client devices are allowed to use NTLM authentication while denying others. This setting will also log an event on the device that is making the authentication request.
When these steps are done, update the group policy object for it to take effect immediately in order to avoid the default time of 90 minutes. See this link for more information, see the following article “all about GPO switches gpupdate and gpupdate-force“.
To prevent NTLM credentials from being sent to remote servers in your domain environment, use the same steps as discussed in the following link on Group Policy Management.
I hope you found this blog post helpful. If you have any questions, please let me know in the comment session.