Things to be aware when fixing PetitPotam — NTLM relay attacks

  1. Disable NTLM Authentication on your Windows domain controller. This can be accomplished by following the documentation in Network security: Restrict NTLM: NTLM authentication in this domain.
  2. Disable NTLM on any AD CS Servers in your domain using the group policy Network security: Restrict NTLM: Incoming NTLM traffic. To configure this GPO, open Group Policy and go to Computer Configuration -> Windows Settings -> Security Settings -> Local Policies -> Security Options and set Network security: Restrict NTLM: Incoming NTLM traffic to Deny All Accounts or Deny All domain accounts.

Breaking changes when disabling NTLM

  1. Remote monitoring using WMI calls using NTLM authentication will no longer work, screenshot below is from PRTG which uses NTLM authentication for WMI (https://kb.paessler.com/en/topic/80532-wmi:-ntlm-still-necessary)
PRTG sensor fails
RDP fails when NTLM is disabled

Reversing the changes

Critical group policies that needs to be reversed
  1. You can modify GPO to the default values, or set them to Not defined.
    Do note that setting them to “Not Defined” will require you to login to each and every machine (especially all the domain controllers) that is affected by this change and manually reset it via gpedit.msc, or you can delete the associated registry keys.
    Quick tip: You can use the batch file found here to remove the crucial NTLM registry keys and update the group policy
  2. In most cases, do plan to reboot your machine (and ensure it is fully patched!)
  3. Remote desktop may still be broken when NLA is enabled

    To resolve this,
    - connect to the FQDN of the machine, e.g server.corp.contoso.com instead of the IP address
    - Login using the email format instead of domain\username e.g jeffery@corp.contoso.com instead of corp\jeffery
How to RDP without disabling NTLM

--

--

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Jeffery Tay

Jeffery Tay

Education is in my blood, partnership and coaching is my passion. ¬ L’essentiel est invisible pour les yeux