PetitPotam attack on Active Directory Certificate Services: How to mitigate NTLM Relay PetitPotam attack on AD CS

In this guide, we will discuss “PetitPotam attack on AD Certificate Services: mitigate NTLM”. Recently, Lionel Gilles, a French-based Offensive Computer Security researcher based in Paris, France published a PoC tool on NTLM Relay Attacks known as PetitPotam that exploits the MS-EFSRPC (Encrypting File Services Remote Protocol). Here is an example of such documents: NT LAN Manager: How to prevent NTLM credentials from being sent to remote servers.

PetitPotam is a classic NTLM Relay Attack. Such attacks have been previously documented by Microsoft along with numerous mitigation options to protect users.

Below are some related guides: Active Directory Authentication methods: How do Kerberos and NTLM work? how does cached domain logon work?, and What is Pass the Hash Attack and how to mitigate the attack.

PetitPotam takes advantage of servers where the Active Directory Certificate Services (AD CS) is not configured with protections for NTLM Relay Attacks. 

The mitigations below outline to customers how to protect their AD CS servers from such attacks and help in mitigating the Windows Domain Controllers (environment) Compromise.

Here are some guides on how to install and configure Active Directory Certificate Services. Also, see how to create a certificate template for BitLocker Network Unlock.

Active Directory CS NTLM Vulnerability Check

Furthermore, Devices running Active Directory Certificate Services (AD CS) with the following roles (services) enabled. “Certificate Authority Web Enrollment” and “Certificate Enrollment Web Service” are susceptible to this attack when NTLM is utilized.

Run the following PowerShell command in the console to check if your hosts have the installed feature. In the image below, note that this specific server does not have the following role installed.

Get-WindowsFeature adcs-web-enrollment

But if you have the role installed, it will look like this in the image below.

How does this work?

Threat actors can target a DC to send its credentials using the MS-EFSRPC protocol. Moreover, to enrol a DC certificate. Relaying the Domain Controller NTLM credentials to the Active Directory Certificate Services AD CS Web Enrollment pages.

In addition, this will effectively grant the attacker an authentication certificate that they can use to access domain services and compromise the entire domain.

NTLM Authentication in AD CS Vulnerability

If NTLM authentication is enabled in your domain, you are potentially vulnerable to this attack.And you are using Active Directory Certificate Services (AD CS) with any of the following services: 

• Certificate Authority Web Enrollment,
• Certificate Enrollment Web Service

Consequently, To prevent NTLM Relay Attacks on networks with NTLM enabled. Domain administrators must ensure that services that permit NTLM authentication use protections such as Extended Protection for Authentication (EPA) or signing features such as SMB signing.

Similarly, PetitPotam takes advantage of servers where the Active Directory Certificate Services (AD CS) is not configured with protections for NTLM Relay Attacks.

Microsoft has released ADV210003 and KB5005413 in response to the published PoC. They recommend that you disable NTLM authentication on your Windows domain controller as the simplest mitigation. 

This hyperlink “Network Security: Restrict NTLM: NTLM authentication in this domain” is Microsoft preferred mitigation steps. Launch Gpedit.msc as shown below

This will open the Group Policy console. Navigate to Computer Configuration -> Windows Settings -> Security Settings -> Local Policies -> Security Options and select the Network Security: Restrict NTLM: NTLM authentication in this domain and ensure it is disabled.

As you can see below, the NTLM authentication in this domain is being disabled as shown below.

The potential impact of PetitPotam attack on AD

If you configure this policy setting, numerous NTLM authentication requests could fail within the domain, which could degrade productivity.

Before implementing this change through this policy setting. Set Network security: Restrict NTLM: Audit NTLM authentication in this domain to the same option so that you can review the log for the potential impact.

Perform an analysis of servers, and create an exception list of servers to exclude from this policy setting by using Network security: Restrict NTLM: Add server exceptions in this domain.

Other Mitigations against PetitPotam’s attack on AD Certificate Services

If you are unable to disable NTLM on your domain for compatibility reasons, you can do one of the following.

They are listed in order of more secure to less secure.

Method 1

Disable NTLM on any AD CS Servers in your domain using the group policy Network security: Restrict NTLM: Incoming NTLM traffic.To configure this GPO, open Group Policy and go to Computer Configuration -> Windows Settings -> Security Settings -> Local Policies -> Security Options and set “Network security: Restrict NTLM: Incoming NTLM traffic” to “Deny All Accounts” or “Deny All domain accounts”. 

If needed you can add exceptions as necessary. You can use the setting “Restrict NTLM: Add server exceptions in this domain.”  

You will be required to confirm the Setting Change by click on Yes as shown below.

As you can see, the incomming NTLM traffic has been disabled for all Domain accounts. 

Note: The domain controller will deny all NTLM authentication logon attempts using accounts from this domain to all servers in the domain.

The NTLM authentication attempts will be blocked. And will return an NTLM blocked error unless the server name is on the exception list

Method 2

Disable NTLM for Internet Information Services (IIS) on AD CS Servers in your domain running the “Certificate Authority Web Enrollment”. Or “Certificate Enrollment Web Service” services.

To do so open Server Manager, click on Tools and launch the Internet Information Services (IIS) Manager as shown below.

This will open the IIS Manager UI (snap-in). Disable/remove the NTLM provider: Nevertheless, You must set the Windows authentication to “Negotiate:Kerberos” and click on Add, as shown below. 

Remove the available Providers as shown below and Click on Ok.

However, if you can’t disable NTLM outright. We recommend enabling Extended Protection for Authentication (EPA) on AD CS services (Certificate Authority Web Enrollment).

After enabling EPA in the UI, the Web.config file created by CES role at ” %windir%>\systemdata\CES\<CA Name>_CES_Kerberos\web.config” .

The web.config should also be updated by adding <extendedProtectionPolicy> element with either “WhenSupported | Always” value based on the Extended Protection option selected in above IIS UI. 

Therefore, The settings most likely to be used are as follows: 

                <binding name="TransportWithHeaderClientAuth"> 
                    <security mode="Transport">                         
                        <transport clientCredentialType="Windows"> 
                        <extendedProtectionPolicy policyEnforcement="Always" /> 
                        </transport> 
                        <message clientCredentialType="None" establishSecurityContext="false"         negotiateServiceCredential="false" /> 
                    </security> 
                    <readerQuotas maxStringContentLength="131072" /> 
                </binding> 

I hope you found this blog post on “PetitPotam attack on AD Certificate Services: mitigate NTLM” helpful. Please let me know in the comment session if you have any questions.