Things to be aware when fixing PetitPotam — NTLM relay attacks

Jeffery Tay
3 min readJul 30, 2021

--

Things to be aware before you go off on a mission to disable NTLM!

A few days ago, a researcher released a source code on Github which targets NTLM relay attacks using Active Directory Certificate Services and MS-RPC (Github: https://github.com/topotam/PetitPotam)

Beyond the ADCS settings found in KB5005413, Microsoft mentioned 2 specific points

  1. Disable NTLM Authentication on your Windows domain controller. This can be accomplished by following the documentation in Network security: Restrict NTLM: NTLM authentication in this domain.
  2. Disable NTLM on any AD CS Servers in your domain using the group policy Network security: Restrict NTLM: Incoming NTLM traffic. To configure this GPO, open Group Policy and go to Computer Configuration -> Windows Settings -> Security Settings -> Local Policies -> Security Options and set Network security: Restrict NTLM: Incoming NTLM traffic to Deny All Accounts or Deny All domain accounts.

Breaking changes when disabling NTLM

  1. Remote monitoring using WMI calls using NTLM authentication will no longer work, screenshot below is from PRTG which uses NTLM authentication for WMI (https://kb.paessler.com/en/topic/80532-wmi:-ntlm-still-necessary)
PRTG sensor fails

2. Remote Desktop (RDP) will no longer work for IP addresses or non-FQDN hostname. You will encounter the following error message: An authentication error has occurred. The function requested is not supported… CredSSP encryption oracle remediation

RDP fails when NTLM is disabled

A possible workaround is to disable Network Level Authentication (NLA)

3. Undoing the changes may require a reboot to take effect

Reversing the changes

Critical group policies that needs to be reversed
  1. You can modify GPO to the default values, or set them to Not defined.
    Do note that setting them to “Not Defined” will require you to login to each and every machine (especially all the domain controllers) that is affected by this change and manually reset it via gpedit.msc, or you can delete the associated registry keys.
    Quick tip: You can use the batch file found here to remove the crucial NTLM registry keys and update the group policy
  2. In most cases, do plan to reboot your machine (and ensure it is fully patched!)
  3. Remote desktop may still be broken when NLA is enabled

    To resolve this,
    - connect to the FQDN of the machine, e.g server.corp.contoso.com instead of the IP address
    - Login using the email format instead of domain\username e.g jeffery@corp.contoso.com instead of corp\jeffery
How to RDP without disabling NTLM

--

--

Jeffery Tay
Jeffery Tay

Written by Jeffery Tay

Education is in my blood, partnership and coaching is my passion. ¬ L’essentiel est invisible pour les yeux