Mitigating NTLM Relay Attacks by Default

Source: Microsoft Security Response Center Author: unknown URL: https://msrc.microsoft.com/blog/2024/12/mitigating-ntlm-relay-attacks-by-default/

1. ONE SENTENCE SUMMARY: February 2024 updates enabled Extended Protection for Authentication by default in Exchange Server and Windows Server to combat NTLM relay attacks.

2. MAIN POINTS:

3. February 2024 introduced CVE-2024-21410, enabling Extended Protection for Authentication by default in Exchange 2019.

4. Windows Server 2025 also enabled EPA by default for Azure Directory Certificate Services and LDAP.

5. NTLM relay attacks compromise identities by relaying authentication to vulnerable endpoints.

6. Historical exploits have been observed against Exchange, AD CS, and LDAP without NTLM protections.

7. Microsoft’s guidelines require administrator intervention to enable EPA in older systems without defaults.

8. Exchange Server is frequently targeted due to its connection with Office documents and emails.

9. Exchange Server 2016 lacks further updates but EPA can be enabled via scripting.

10. Windows Server 2025 offers stronger EPA options for enterprises not supporting legacy clients.

11. NTLM is expected to be disabled by default in future Windows versions, promoting modern authentication.

12. Microsoft aims to enforce secure defaults and enhance mitigation strategies against NTLM attacks.

13. TAKEAWAYS:

14. Enabling EPA by default significantly increases security against NTLM relay attacks.

15. Administrators must adapt to new protocols to phase out legacy NTLM usage.

16. Vulnerabilities in widely used services like Exchange make them prime targets for attackers.

17. Future updates will continue to enhance default security measures for Microsoft services.

18. Collaboration within Microsoft teams is crucial for implementing effective security updates.