Share via

credential-stealing NTLM relay attacks against Windows domain controllers

vallee2018 331 Reputation points
2021-07-28T13:24:28.607+00:00

Hello,

I read the article https://www.techrepublic.com/article/microsoft-warns-of-credential-stealing-ntlm-relay-attacks-against-windows-domain-controllers/?ftag=TREee10240&bhid=28346840912463073390773750156554&mid=13452373&cid=2165475782 regarding the warning and the recommendation to set the NTLM setting to Deny all. Unfortunately, as soon as I did this, users cannot access the Outlook client on their PCs. Outlook webmail is working at this time.

As recommended I set the Network Security: Restrict NTLM: Audit NTLM authentication in this domain policy setting, and then review the Operational log to understand what authentication attempts are made to the member servers.

I also set the Network security: Restrict NTLM: Add server exceptions in this domain policy and added the domain controller and exchange server.

However, even after I undid the setting and changed it back to the original of Not defined in the Group Policy setting staff cannot log into the Outlook client? I see Event 4004 in the Applications and Services Log\Microsoft\Windows\NTLM event log but if I simply undid the change wouldn't it revert back to the previous working condition?

How do I correct this?

I need help.

Thanks,
Roger

Active Directory
Active Directory
A set of directory-based technologies included in Windows Server.
6,645 questions
Exchange Server Management
Exchange Server Management
Exchange Server: A family of Microsoft client/server messaging and collaboration software.Management: The act or process of organizing, handling, directing or controlling something.
7,669 questions
Accepted answer
  1. vallee2018 331 Reputation points
    2021-07-30T13:09:23.373+00:00

    Hi Daisy,

    Thank you. Unfortunately, I am confused by your reply below.

    You said: “Meanwhile, the gpo setting is "Network security: Restrict NTLM: NTLM authentication in this domain" instead of "Restrict NTLM Audit NTLM authentication in this domain policy setting" you mentioned.

    So you should change "Restrict NTLM Audit NTLM authentication in this domain policy setting" to "Disabled" first. This is to revoke this setting and cannot be set to any other value.”

    Why would I disable the audit setting? Isn’t the whole point of this setting to understand and see the traffic that may be affected by disabling the NTLM settings? This should be informative only and not have an impact on the disable setting options. Wouldn’t you want to see what might be impacted before making any of the “Deny” setting change? Unless I am mistaken, this, as an audit setting, should not have any impact on any of the “Deny” settings.

    You then said: “After that, you should evaluate whether you can disable NTLM authentication in your environment.” This is what I am trying to do but it is not clear on how best to do this.

    You included a screen shot of the Additional mitigation section fromhttps://support.microsoft.com/en-us/topic/kb5005413-mitigating-ntlm-relay-attacks-on-active-directory-certificate-services-ad-cs-3612b773-4043-4aa9-b23d-b87910cd34291.

    However, my understanding is that this is meant to be done in addition to selecting one of the Deny options from the Network security: Restrict NTLM: NTLM authentication in this domain document referenced https://learn.microsoft.com/en-us/windows/security/threat-protection/security-policy-settings/network-security-restrict-ntlm-ntlm-authentication-in-this-domain

    This brings me back to square one.

    Each of the Deny options states: “ The NTLM authentication attempts will be blocked and will return an NTLM blocked error unless the server name is on the exception list in the Network security: Restrict NTLM: Add server exceptions in this domain policy setting.”

    When I check the Applications and Services Log\Microsoft\Windows\NTLM. Log, on the domain controller I see the domain controller next to the “Computer” label in the log. The exchange server appears next to the “Secure Channel name” label. What is this saying? Is this stating I need to add the domain controller and\or the exchange server FQDN to the server list in Network security: Restrict NTLM: Add server exceptions in this domain security policy setting?

    The problem it seems is that according to the documenthttps://learn.microsoft.com/en-us/windows/security/threat-protection/security-policy-settings/network-security-restrict-ntlm-add-server-exceptions-in-this-domain3 it states:

    “If you define an exception list of servers in this domain to which client computers are allowed to use NTLM pass-through authentication, then NTLM authentication traffic will continue to flow between those servers, which make them vulnerable to any malicious attack that takes advantage of security weaknesses in NTLM. “ This would defeat the whole purpose of the Deny settings.

    I guess, the main question is how do I determine if NTLM is truly a concern for our environment and if so, what Deny Option setting do I use to block this but not cause a problem with staff not being able to log into the desktop Outlook client resulting in their credentials being rejected\ignored?

    Thank you,
    Roger

3 additional answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. Daisy Zhou 25,061 Reputation points Microsoft Vendor
    2021-07-29T02:56:52.313+00:00

    Hello @vallee2018 ,

    Thank you for posting here.

    Because you configured Security Policy setting, for Security Policy setting, there is persistence of security settings policy based on the second link below.

    118836-de2.png

    Because the default policy setting is "Not Defined". There is no any default "value" in a local database on any of your computers if nobody sets this policy setting.

    118808-de1.png

    Based on the knowledge, when it is configured as one value via Group Policy Management on DC, the member servers or domain clients will take such settings, and even if it is configured as "Not Defined" from the previous value again, the member servers or domain clients will keep the previous value of this policy setting.

    So you need to configured it as "Disabled".

    For more information, please refer to links below.

    Network security: Restrict NTLM: Audit NTLM authentication in this domain
    https://learn.microsoft.com/en-us/windows/security/threat-protection/security-policy-settings/network-security-restrict-ntlm-audit-ntlm-authentication-in-this-domain

    Security policy settings
    https://learn.microsoft.com/en-us/windows/security/threat-protection/security-policy-settings/security-policy-settings#persistence-of-security-settings-policy

    Hope the information above is helpful.

    Should you have any question or concern, please feel free to let us know.

    Best Regards,
    Daisy Zhou

    ============================================

    If the Answer is helpful, please click "Accept Answer" and upvote it.

    0 comments
  2. vallee2018 331 Reputation points
    2021-07-29T15:18:32.72+00:00

    Hello Daisy,

    Thank you for the reply. Unfortunately, this doesn't help to address the main concern when following the recommendations in:

    [https://learn.microsoft.com/en-us/windows/security/threat-protection/security-policy-settings/network-security-restrict-ntlm-ntlm-authentication-in-this-domain?]

    . Selecting any of the deny options results in staff not being able to log into their desktop Outlook Client.

    The document states if choosing the Deny all setting:

    "The domain controller will deny all NTLM pass-through authentication requests from its servers and for its accounts and return an NTLM blocked error unless the server name is on the exception list in the Network security: Restrict NTLM: Add server exceptions in this domain policy setting." Is this saying I need to add the FQDN of the Exchange server or the domain controller in the exception list ?

    If so, I had added both servers to the exception list. Unfortunately, soon after selecting the Deny all setting, staff could no longer access the desktop Outlook client. What do I need to do to set the setting to Deny and enable normal access of the desktop Outlook client?

    Thanks

    0 comments
  3. Daisy Zhou 25,061 Reputation points Microsoft Vendor
    2021-07-30T03:36:37.227+00:00

    Hello @vallee2018 ,

    Thank you for your update.

    I reviewed the link you provided again, it is recommended you can disable NTLM authentication where possible.

    Meanwhile, the gpo setting is "Network security: Restrict NTLM: NTLM authentication in this domain" instead of "Restrict NTLM Audit NTLM authentication in this domain policy setting" you mentioned.

    So you should change "Restrict NTLM Audit NTLM authentication in this domain policy setting" to "Disabled" first. This is to revoke this setting and cannot be set to any other value.

    After that, you should evaluate whether you can disable NTLM authentication in your environment.

    If you can disable NTLM authentication in your environment. You can disable it as below.

    119169-ntlm.png

    If you cannot disable NTLM authentication in your environment, you can also select other options.

    For more information, please refer to link below.

    KB5005413: Mitigating NTLM Relay Attacks on Active Directory Certificate Services (AD CS)
    https://support.microsoft.com/en-us/topic/kb5005413-mitigating-ntlm-relay-attacks-on-active-directory-certificate-services-ad-cs-3612b773-4043-4aa9-b23d-b87910cd3429

    Hope the information above is helpful.

    Should you have any question or concern, please feel free to let us know.

    Best Regards,
    Daisy Zhou

    ============================================

    If the Answer is helpful, please click "Accept Answer" and upvote it.

    0 comments

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.