[German]NTLM relaying is a popular attack method used by threat actors to compromise identity. Microsoft wants to put a stop to this and has started to roll out protective measures in Windows to provide better protection against standard NTLM relay attacks.
NTLM relay attacks
NTLM relaying is a popular attack method for compromising or stealing an identity. For the NTLM relay attack, the victim is tricked into authenticating at any endpoint. The credentials are then forwarded to the attackers.
By forwarding the credentials to a vulnerable endpoint, attackers can authenticate themselves and perform actions on behalf of the victim. This gives attackers a starting point for further compromising a domain.
Microsoft makes NTLM relay attacks more difficult
In order to stop the exploitation of vulnerabilities such as relaying attacks, it is necessary to address the vulnerable services holistically by default. This is where EPA or other channel binding mechanisms come into play. These ensure that clients can only authenticate with the server intended for them.
Microsoft has published the article Mitigating NTLM Relay Attacks by Default and describes what is done in products to protect systems from NTLM relay attacks.
In February 2024, an update was released for Exchange Server that enables Extended Protection for Authentication for new and existing installations of Exchange 2019. This was Microsoft's response to the vulnerability CVE-2024-21410.
With Windows Server 2025, a similar security improvement is available for Azure Directory Certificate Services (AD CS). EPA is also enabled there by default. In addition, channel binding is now enabled by default for LDAP in the same version of Windows Server 2025. These security improvements reduce the risk of NTLM relaying attacks for three on-premises services by default: Exchange Server, Active Directory Certificate Services (AD CS) and LDAP. Details can be found in the article Mitigating NTLM Relay Attacks by Default.