Penelope Iroko Table of Contents
Cybersecurity threats are evolving, and staying ahead of attackers is critical. Recognizing this, Microsoft has introduced NTLM relay attack protections as default features in Exchange servers, LDAP, and Azure Directory Certificate Services (AD CS).
These updates are designed to block NTLM relay attacks, a common method used by cybercriminals to exploit vulnerabilities in authentication protocols.
Key Takeaway to NTLM Relay Attack Protections:
- Microsoft’s default NTLM relay attack protections strengthen security for on-premises servers, significantly reducing the risk of account compromises caused by these attacks.
What Are NTLM Relay Attacks?
NTLM relay attacks exploit the New Technology LAN Manager (NTLM) authentication protocol. Here’s how they work:
- Deception: Attackers trick a user into authenticating to an unintended endpoint.
- Relay: The attacker forwards the user’s authentication details to a vulnerable server.
- Compromise: Once access is gained, attackers can take control of accounts or execute malicious commands.
These attacks often exploit flaws in widely used services like Exchange, LDAP, and AD CS, making them a serious security concern.
New Microsoft Protections Against NTLM Relay Attacks
Microsoft has taken significant steps to combat these vulnerabilities by implementing NTLM relay attack protections as default security measures in key services:
Extended Protection for Authentication (EPA)
- Enabled by default in Exchange Server 2019.
- Strengthens authentication by ensuring that clients only connect to their intended servers.
Channel Binding for LDAP
- Now default in Windows Server 2025.
- Ensures secure communication between servers and clients to block unauthorized access.
Enhanced Security for AD CS
- EPA is now automatically enabled, further mitigating risks.
Key Impact: These updates eliminate manual configurations, ensuring a “secure by default” approach for enterprises.
Real-World Example of NTLM Relay Attacks
In the past, attackers have exploited NTLM vulnerabilities to compromise major systems. For instance, researchers found that certain Office documents sent via Outlook could trigger NTLM relay attacks on Exchange servers.
These flaws, identified as CVE-2024-21413 and CVE-2023-36563, allowed hackers to take control of user accounts by relaying authentication requests to vulnerable endpoints.
Such incidents underline the importance of NTLM relay attack protections in safeguarding critical systems.
Key Features of Microsoft’s Security Enhancements
| Feature | Service | Impact |
|---|---|---|
| Extended Protection for Auth. | Exchange Server | Prevents unauthorized server connections |
| Channel Binding | LDAP | Secures client-server communications |
| Default EPA | AD CS | Blocks unauthorized NTLM relay attacks |
Future Plans: Phasing Out NTLM
Microsoft is planning to phase out NTLM altogether. As part of this effort:
- NTLMv1 Removed: Windows Server 2025 and Windows 11 no longer support NTLMv1.
- NTLMv2 Deprecated: Further steps are being taken to reduce reliance on older authentication methods.
- Focus on EPA: Microsoft aims to enable EPA by default across more services, eliminating this class of attacks entirely.
A Broader Threat Landscape
The urgency of addressing NTLM relay vulnerabilities was highlighted recently when 0patch revealed a new NTLM-related flaw.
This vulnerability, present in all Windows versions after Windows 7, allows attackers to steal user credentials by tricking users into opening malicious files in Windows Explorer.
Microsoft has yet to patch this issue, underscoring the ongoing need for robust protections like those introduced for NTLM relay attacks.
About Microsoft
Microsoft is a global leader in software and technology, known for its robust cybersecurity initiatives. The company’s ongoing commitment to improving security includes the development of tools like Extended Protection for Authentication and proactive updates to mitigate threats like NTLM relay attacks.
Final Thoughts
Microsoft’s introduction of NTLM relay attack protections is a critical step toward securing enterprise systems against evolving cyber threats. Organizations must act quickly to adopt these updates, ensuring that their networks remain resilient in the face of modern attacks
FAQ
1. What is an NTLM relay attack?
An NTLM relay attack tricks a user into authenticating to a fake server and forwards their credentials to a target system, compromising security.
2. How do Microsoft’s updates protect against these attacks?
By enabling features like EPA and channel binding by default, Microsoft ensures secure authentication and communication between servers and clients.
3. Are older versions of Exchange and Windows protected?
For Exchange Server 2016 and older Windows versions, administrators can manually enable these protections using provided scripts.
4. Why is NTLM being phased out?
NTLM has long been a target for attackers due to its vulnerabilities. Replacing it with more secure protocols like EPA reduces the risk of attacks.
5. What should IT administrators do now?
Admins should update systems to the latest versions, enable any remaining manual protections, and monitor for new Microsoft updates.
