H3-2024-0034
NTLM Authentication Endpoint Exposed to the Internet
| Category | SECURITY_MISCONFIGURATION |
| Base Score | 4.0 |
Description
An NTLM authentication endpoint is exposed to the Internet.
Impact
NTLM (New Technology LAN Manager) is a legacy Windows single sign on (SSO) protocol. These endpoints are attractive to attackers because the NTLM protocol does not support multi-factor authentication (MFA). Attackers can freely conduct password spray and credential stuffing attacks against these endpoints, potentially leading to initial access and bypassing MFA. These endpoints also leak information such as internal company domain names and computer names.
References
- Windows Network security policy setting: Restrict NTLM: Audit NTLM authentication in this domain
- Hybrid Modern Authentication for On-Prem Exchange and Skype for Business Servers
- Active Directory Federation Services (ADFS) Best Practices: Disable WS-Trust Windows endpoints on the proxy from extranet
- KB5005413: Mitigating NTLM Relay Attacks on Active Directory Certificate Services (AD CS)
- Configure (or Disable) Windows Authentication in ASP.NET Core
- NTLMRecon: Tool for Enumerating NTLM Authentication Endpoints