Microsoft has provided more elaborate mitigation instructions for the PetitPotam attacks. The attack could force remote Windows systems to reveal password hashes that could then be easily cracked. Microsoft quickly sent out an advisory for system administrators to stop using the now deprecated Windows NT LAN Manager to thwart an attack.
PetitPotam
PetitPotam enables a threat actor to launch an NTLM relay attack on domain controllers. It does this by performing an NTLM relay attack that does not rely on the Microsoft’s Print System Remote Protocol (MS-RPRN) API but instead uses the EfsRpcOpenFileRaw function of the Microsoft Encrypting File System Remote Protocol (MS-EFSRPC) API. MS-EFSRPC is used for maintenance and management operations on encrypted data that is stored remotely and accessible over a network. The PetitPotam PoC takes the form of a manipulator-in-the-middle (MitM) attack against Microsoft’s NTLM authentication system. The targeted computer is forced to initiate an authentication procedure and share its authentication details via NTLM.
Hard to patch
Since its not based on a vulnerability but uses a legitimate function in a way that was not intended, it will be hard to patch for this attack without “breaking stuff.” Further, stopping the Encrypting File System (EFS) service does not prevent the technique from being exploited.
Vulnerable systems
Windows Server 2008, Windows Server 2008 R2, Windows Server 2016, Windows Server 2019, and Windows Server 2022.
Mitigation Details
Microsoft has divided the mitigation techniques into a Primary part and an Additional part.
Primary Mitigation
On AD CS servers open the Internet Information Services (IIS) Manager and do the following:
- Enable Extended Protection for Authentication (EPA) for Certificate Authority Web Enrollment, “Required” being the more secure and recommended option.
- Enable EPA for Certificate Enrollment Web Service, “Required” being the more secure and recommended option. After enabling EPA in the UI, the Web.config file created by CES role at <%windir%>\systemdata\CES\<CA Name>_CES_Kerberos\web.config should also be updated by adding <extendedProtectionPolicy> set with a value of either WhenSupported or Always depending on the Extended Protection option selected in the IIS UI.
- Enable Require SSL, which will enable only HTTPS connections.
Additional Mitigation
- Disable NTLM Auth on your Windows domain controller.
- Disable NTLM in your domain using the group policy (GPO). To configure this GPO, open Group Policy and go to Computer Configuration -> Windows Settings -> Security Settings -> Local Policies -> Security Options and set Network security: Restrict NTLM: Incoming NTLM traffic to Deny All Accounts or Deny All domain accounts. If needed, you can add exceptions as necessary.
- Disable NTLM for Internet Information Services (IIS) on AD CS Servers in your domain running the “Certificate Authority Web Enrollment” or “Certificate Enrollment Web Service” services.
IIS Service has to be restarted to take these settings to take effect.
