Microsoft takes measures against NTLM relay attacks
One attack vector for gaining access to the network is so-called NTLM relaying. Microsoft is now making this more difficult with new measures.
(Image: Bild erstellt mit KI in Bing Designer durch heise online / dmk)
A frequently observed attack vector that criminals use to gain further access to networks is the redirection of Microsoft's NTLM network protocol, known as NTLM relaying. NTLM is used to transmit access data for authentication, which attackers can intercept and misuse. Microsoft now wants to make such attacks significantly more difficult by default.
As Microsoft writes in a blog post, the manufacturer is now relying on"Extended Protection for Authentication" (EPA for short) to better protect access data. This has been used as standard on Exchange servers since this February, after cyber criminals actively abused the vulnerability CVE-2024-21410, classified as a critical risk with a CVSS value of 9.8, to extend their rights. Microsoft also called the EPA protection NTLM Credentials Relay Protection.
Extended Protection for Authentication becomes standard
Windows Server 2025, which was released at the beginning of last month, has also received such protection, particularly for the Azure Directory Certificate Services (AD CS). LDAP Channel Binding is active by default in Server 2025 for the same reason. Together, these enhancements should significantly reduce the risk of NTLM relay attacks by default for the three on-premises services Exchange, AD CS and LDAP.
Videos by heise
NTLM relay attacks typically take place in two stages. First, attackers trick victims into logging on to any endpoint. They then redirect the authentication to a vulnerable target. This redirection allows attackers to impersonate their victim and perform actions on their behalf. This gives them a foot in the door for further compromise of the network. Microsoft's approach is now to restrict logins to arbitrary endpoints. With EPA and channel binding, clients can only log on to certain servers. They therefore play an important role in the defense against NTLM relay attacks. Looking to the future, Microsoft explains that NTLM is considered an outdated protocol and therefore recommends that users prepare for its deactivation in future Windows versions. More modern authentication protocols such as Kerberos are to be used. In the meantime, Microsoft is trying various strategies to at least harden NTLM.
New NTLM hash leak
Last week, a vulnerability in Windows from version 7 and Server 2008 R2 to the current Windows versions 11 24H2 and Server 2022 became known, through which attackers can access NTLM credentials. The vulnerability was discovered by 0patch and reported in a blog post. It is sufficient to trick victims into displaying a malicious file in Windows Explorer, for example by opening a network share, a USB stick or the download folder with such a file, which was automatically downloaded from the attackers' website. The fact that Windows Server 2025 is missing from the list of vulnerable systems seems to indicate that Microsoft's countermeasures are helping. Admins should therefore enable EPA where it is available.
The outdated NTLM is a constant source of danger in all Windows networks. This will remain the case for years to come and admins must take targeted preventative measures. This is because "Won't Patch" gaps such as Petit Potam or the aforementioned current NTLM disclosure gap regularly cause uncertainty. We recently explained how admins can set themselves up correctly in our heise security webinar "NTLM: Microsoft's original sin and how admins can deal with it sensibly", which our PRO members can still watch in the media library.
(dmk)
