question

HeathDurrett avatar image
0 Votes"
HeathDurrett asked Crypt32 answered

Must PetitPotam NTLM relay mitigation include changing your CA server's CDP & AIA extensions?

We are looking to mitigate the PetitPotam vulnerability on our internal 2Tier active Directory CA hierarchy. There is a very clear MS document here...

https://support.microsoft.com/en-gb/topic/kb5005413-mitigating-ntlm-relay-attacks-on-active-directory-certificate-services-ad-cs-3612b773-4043-4aa9-b23d-b87910cd3429


The very first instruction says "We recommend enabling EPA and disabling HTTP on AD CS servers."


However...there are no additional instructions on editing the CDP / AIA extensions in the subordinate CA server config.


My question is - what happens to already issued certificates without HTTPS in their certificate configuration and surely we need to add HTTPS extensions to the Subordinate CA configuration?


I'm worried that simply following this document will have a detrimental affect on my PKI infrastructure?


Any advice, explanations would be most gratefully welcomed!

Regards,
durrie

windows-server-iiswindows-server-security
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Crypt32 avatar image
0 Votes"
Crypt32 answered

The answer is simply no, since CDP/AIA use unauthenticated access. There is no NTLM when you download CDP/AIA items from IIS, so they are not subject for this vulnerability and no changes are required in these extensions.

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

LimitlessTechnology-2700 avatar image
1 Vote"
LimitlessTechnology-2700 answered

Hello @HeathDurrett

Basically all your HTTP certificates would stop working as you enable EPA, require SSL and disable HTTP over ADCS. This is the "modern" safety rule for your environment, not only for PetitPotam, but for many other attacks. It's been many years that most issuing instances have moved to the SSL protocol and HTTPS, however is true that some signing is still done on HTTP mostly for backwards compatibility and historical purposes.

Hope this helps with your query,


--If the reply is helpful, please Upvote and Accept as answer--

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.