How to protect your network against security flaws in Microsoft's NTLM protocol

Microsoft's NTLM (NT LAN Manager) is an older and now outdated security protocol that authenticates user credentials in a Windows domain. Though Microsoft has long since replaced NTLM with Kerberos as the default authentication method for Active Directory, the company still supports the older protocol, while recommending that customers adopt Kerberos instead.

As we all know, even though a technology or protocol is old, outdated, or no longer recommended, that doesn't mean organizations no longer use it. The problem is that NTLM is continually plagued by security holes. In a report released on Tuesday, security provider Preempt describes the latest flaws and offers advice on how to protect your network against them.

In its report, Preempt said that it recently uncovered two critical Microsoft vulnerabilities based on three logical flaws in NTLM. These vulnerabilities could allow attackers to remotely execute malicious code on any Windows machine or authenticate to any web server that supports Windows Integrated Authentication (WIA), such as Exchange or ADFS. Preempt's research indicates that all versions of Windows are susceptible to these flaws.

One major pitfall in NTLM is that it's open to relay attacks, the report noted, a process that lets attackers capture an authentication on one server and then relay it to another server, opening the door for them to control the remote server using those same credentials.

Microsoft has developed several fixes to prevent NTLM relay attacks, but attackers can find ways to bypass them via the following three logical flaws:

On Tuesday, Microsoft will be issuing two patches to try to shore up these latest security holes in NTLM. Beyond urging organizations to patch vulnerable systems with these new updates, Preempt offers other pieces of advice.

Patch

Make sure that all workstations and servers are properly patched with Microsoft's latest updates. Look for Microsoft's CVE-2019-1040 and CVE-2019-1019 on Patch Tuesday, June 11. But patching by itself isn't enough, according to Preempt, which also recommends several configuration tweaks.

Configuration

"Even though NTLM Relay is an old technique, enterprises cannot completely eliminate the use of the protocol as it will break many applications. Hence it still poses a significant risk to enterprises, especially with new vulnerabilities discovered constantly," Roman Blachman, Preempt's CTO and co-founder, said in a press release. "Companies need to first and foremost ensure all of their Windows systems are patched and securely configured. In addition, organizations can further protect their environments by gaining network NTLM visibility."

Also see