December 10, 2024 at 06:29AM
Microsoft has introduced enhanced security measures to combat NTLM relay attacks on Exchange servers, including enabling Extended Protection for Authentication (EPA) and channel binding by default. These changes aim to safeguard accounts from exploitation via vulnerabilities, ensuring a more secure environment as the company plans to phase out NTLM usage entirely.
### Meeting Takeaways
1. **New Security Measures**: Microsoft has introduced default security protections to defend against NTLM relay attacks on on-premises Exchange servers.
2. **Understanding NTLM Relay Attacks**:
– Attackers exploit the NTLM authentication protocol by tricking users into authenticating to malicious endpoints.
– These attacks can lead to victim account compromise, allowing unauthorized actions to be executed.
3. **Vulnerabilities Targeted**:
– Known vulnerabilities (CVE-2024-21413, CVE-2023-23397, CVE-2023-36563) can be exploited through documents and messages in Outlook, targeting Exchange servers.
4. **Current Status**: No active NTLM relay attacks against Exchange have been reported, prompting Microsoft to proactively enhance security measures.
5. **Updates Released**:
– Extended Protection for Authentication (EPA) is now enabled by default in Exchange Server 2019 and Windows Server 2025.
– Channel binding for Lightweight Directory Access Protocol (LDAP) is also enabled by default.
6. **Mitigation Strategies**:
– EPA and channel binding ensure clients authenticate only to their intended servers, significantly enhancing security against NTLM relay attacks.
– Guidance for enabling EPA across various services has been published and is now implemented by default.
7. **Legacy Support**:
– EPA can be enabled via script on Exchange Server 2016 (currently in extended support).
– EPA and channel binding must be manually enabled on Windows Server 2022 and 2019.
8. **Auditing Enhancements**:
– Microsoft has introduced LDAP auditing to identify machines lacking channel binding support, helping administrators transition towards enhanced security.
9. **Future Plans**:
– NTLMv1 has been removed, and NTLMv2 is deprecated in Windows Server 2025 and Windows 11 (24H2).
– Ongoing efforts to enable EPA by default across more services are in progress.
10. **Recent Vulnerability**:
– A new vulnerability affecting all Windows versions post-Windows 7 allows NTLM credential harvesting through malicious file viewing. This remains unpatched by Microsoft.
These updates demonstrate Microsoft’s commitment to reinforcing security and mitigating risks associated with NTLM relay attacks.