A lot of fantastic research has been done regarding NTLM relay attacks recently. Windows domains rely heavily on the netNTLMv1/2 protocol to authenticate users against other Windows hosts on the domain hosting network services including SMB, HTTP, LDAP, MSSQL, and IMAP to name a few.
By inserting themselves in the middle of the authentication exchange between the client and the server, either by conducting man in the middle attacks or inducing a user or service to authenticate to a rogue authentication server, attackers can relay the authentication request onto other services; impersonating the victim, resulting in remote code execution, information disclosure and often privilege escalation.
What to do
The only way of completely solving NTLM relay vulnerabilities is to disable NTLM authentication entirely and use Kerberos. However, if that is not possible there are a number of configuration changes you can make to harden the various protocols that accept NTLM authentication requests and make conducting relaying attacks much harder to perform.
SMB Signing should be enabled on all Windows Hosts (Servers and Workstations).
- Start -> Run -> gpedit.msc
- Computer Configuration -> Policies -> Windows Settings -> Security Settings -> Local Policies -> Security Options
- Set "Microsoft network client" to: "Digitally sign communications (always)"
- Set "Microsoft network server" to: "Digitally sign communications (always)"
There is still a possibility for an attacker to downgrade the connection to accept unsigned authentication. This can be fixed by implementing the change via the Registry.
- Start -> Run -> regedit.exe
- HKEY_LOCAL_MACHINE -> System -> CurrentControlSet -> Services -> LanmanServer (or LanmanWorkStation for client's) -> Parameters
- Set "EnableSecuritySignature" to 1 (enable)
- Set "RequireSecuritySignature" to 1 (enable)
Please note that enabling SMB signing will add an overhead to SMB traffic, which, depending on the setup, may decrease network performance.
Enable LDAP Signing on all Domain Controllers
Via Group Policy
- Select ”Default Domain Controller Policy” > “Computer Configuration” > “Policies” > “Windows Settings” > “Security Settings” > “Local Policies” , and then select Security Options.
- Right-click Domain controller: LDAP server signing requirements, and then select Properties.
- In the Domain controller: LDAP server signing requirements Properties dialog box, enable Define this policy setting, select Require signing in the Define this policy setting list, and then select OK.
- In the Confirm Setting Change dialog box, select Yes.
LDAP Channel Binding
Ensure the security update is installed: https://portal.msrc.microsoft.com/en-us/security-guidance/advisory/CVE-2017-8563
Then the following registry key should be set on all Domain Controllers:
- Path: HKEY_LOCAL_MACHINE/System/CurrentControlSet/Services/NTDS/Parameters
- Setting: LdapEnforceChannelBinding
- Value: 2
1 indicates enabled, when supported. All clients that are running on a version of Windows that has been updated to support channel binding tokens (CBT) must provide channel binding information to the server. Clients that are running a version of Windows that has not been updated to support CBT do not have to do so. This is an intermediate option that allows for application compatibility, however, this may enable an attacker to spoof the version of Windows so that an unsupported version is presented, therefore bypassing these protections. Therefore we recommend the following value instead.
2 indicates enabled, always. All clients must provide channel binding information. The server rejects authentication requests from clients that do not do so.
Ensure security update for CVE-2019-1040 "Windows NTLM Tampering Vulnerability" to prevent certain relaying attacks known as "drop the MIC".
Ensure the security update for CVE-2020-1113 "Windows Task Scheduler Security Feature Bypass Vulnerability" is installed to help prevent NTLM relay attacks the leverage RPC