Microsoft has introduced new security measures aimed at preventing NTLM relay attacks. These protective mechanisms include additional safeguards to reduce the risk of exploiting the NTLM protocol in attacks that intercept and relay user authentication to gain access to systems. These updates are part of Microsoft’s ongoing efforts to improve network security and address vulnerabilities in traditional authentication methods.

Understanding NTLM Vulnerabilities and Relay Attacks

NTLM (New Technology LAN Manager) is a set of protocols developed by Microsoft for authenticating users and computers through a challenge-response mechanism. In this process, the client responds to a server’s challenge, which verifies the user’s or computer’s identity.

The client’s response contains a hash of the user’s password, used as an encryption key. This hash, representing the user’s login credentials, can be exploited by attackers.

Since adopting Kerberos as the default authentication mechanism in Windows in 2000, Microsoft has been working to phase out NTLM, considered less secure and outdated. However, NTLM remains widely used in organizations worldwide, leaving systems vulnerable to NTLM relay attacks. These attacks allow cybercriminals to transmit the NTLM hash without decrypting it or extracting the user’s password, posing a significant security risk.

Example of NTLM Relay Attack: Exploiting NTLM Vulnerabilities in Office Documents and Emails

Office documents and emails sent via Outlook can become entry points for attackers exploiting NTLM enforcement vulnerabilities. Attackers embed malicious UNC (Universal Naming Convention) links in documents or messages, redirecting victim systems to a malicious server to execute NTLM relay attacks.

When a victim opens such a document or email, the malicious UNC link triggers NTLM authentication, which attackers can intercept. Using the NTLM hash, cybercriminals can perform a relay attack, gaining access to network resources without knowing the user’s password.

Recent NTLM vulnerabilities, such as CVE-2024-21413, CVE-2023-23397, and CVE-2023-36563, have demonstrated how attackers can exploit these techniques to compromise victim systems if appropriate security patches are not implemented. Microsoft warns that these attacks can be highly effective, especially for organizations lacking adequate protections against this attack vector, particularly in office and email software.

Microsoft’s Push for Enhanced Security: EPA Enabled by Default in Windows Server 2025

Despite the inherent risks of NTLM, there is good news. Earlier this month, Microsoft reached a milestone with the release of Windows Server 2025, featuring Extended Protection for Authentication (EPA) and LDAP channel binding enabled by default.

EPA is an advanced security feature designed to mitigate man-in-the-middle (MitM) attacks and other forms of authentication data interception and manipulation in protocols like NTLM. In Windows Server 2025, EPA is enabled by default, ensuring compatibility with older Windows clients. For organizations not requiring support for legacy clients, a stricter “Always Enabled” setting is available, with further enhancements planned for future versions.

Administrators of Windows Server 2022 and 2019 can manually enable EPA and LDAP channel binding, with Microsoft also adding LDAP auditing support to identify non-compliant computers and facilitate migration to updated configurations. Earlier this year, Microsoft made EPA the default setting for new and existing Exchange Server 2019 installations, while it remains an optional feature in Exchange Server 2016, enabled via a script.

To enable EPA on Windows systems, appropriate registry values must be configured.

Conclusion

While NTLM remains a vulnerable protocol, Microsoft continues to address emerging threats by implementing features like EPA, a significant step toward improving security in modern IT infrastructures. Organizations are encouraged to follow Microsoft’s recommendations for mitigating NTLM relay attacks, such as disabling NTLM on domain controllers, enabling extended authentication and signing protections (e.g., SMB signing), and addressing vulnerabilities like PetitPotam by disabling web services on Active Directory Certificate Services servers.

For organizations seeking to enhance Active Directory security, we encourage you to reach out to us for guidance and support.