NTLM Relay Attack Prevention: A Checklist for Active Directory Security

NT LAN Manager (NTLM) relay attacks represent a persistent threat to organizations that rely on Active Directory (AD) for identity management and access control. These attacks exploit weaknesses in the NTLM authentication protocol, allowing attackers to impersonate legitimate users and gain unauthorized access to sensitive resources within the AD environment. This article provides IT specialists, system administrators, and security professionals with a practical checklist for preventing and remediating NTLM relay attacks.

Understanding NTLM Relay Attacks and Their Impact

What is NTLM, and Why is it Still Used?

NT LAN Manager is an older challenge-response authentication protocol developed by Microsoft. Designed for compatibility purposes, NTLM remains in use within some organizations, particularly for legacy systems or applications that may not support newer and more secure protocols like Kerberos.

NTLM's Vulnerabilities and the NTLM Relay Attack

While NTLM facilitated easier network authentication in the past, it inherently lacks crucial security features compared to modern alternatives.

A significant shortcoming of NTLM is its susceptibility to man-in-the-middle attacks, including NTLM relay attacks. NTLM messages are not inherently encrypted, and the protocol lacks mutual authentication, which means that it doesn’t verify the server’s identity during the authentication exchange. This vulnerability creates an opening for attackers to intercept the communication flow and relay stolen credentials to gain unauthorized access.

Here’s a simplified breakdown of the NTLM relay attack process:

  1. Interception: The attacker takes a position within the network to intercept authentication traffic between a client and a server. Techniques like ARP spoofing can be used to achieve this.
  2. Relay: The attacker captures the NTLM authentication request containing the user’s credentials. Instead of the intended server, the attacker redirects these credentials to a different server the attacker controls.
  3. Credential Misuse: The compromised server receives the relayed credentials and, unaware that they have been modified, processes them as if they were a legitimate request from the original client. The attacker can then exploit this access to perform unauthorized actions such as stealing data or elevating privileges.

The Impact of NTLM Relay Attacks on Active Directory

The consequences of an NTLM relay attack can be particularly severe in Active Directory environments. Here’s why:
  • Privilege Escalation: Attackers can leverage stolen credentials to elevate their privileges within the domain, gaining access to highly sensitive resources and potentially compromising the entire AD infrastructure.
  • Lateral Movement: Once inside the network, attackers can exploit compromised accounts to move laterally across different systems, expanding their reach and increasing the potential damage.
  • Data Exfiltration: With access to user credentials or compromised systems, attackers can steal sensitive data stored within the Active Directory environment.
Real-world examples like the PetitPotam exploit highlight the dangers of NTLM relay attacks. PetitPotam is a particularly insidious example because it targets Windows servers, forcing them to share their credentials. Attackers can then relay these stolen credentials to gain unauthorized access to sensitive systems, such as those handling authentication certificates. This demonstrates why NTLM relay attacks are so dangerous, especially when they exploit other vulnerabilities within a network.

The NTLM Relay Attack Prevention Checklist

Implementing the following steps will significantly enhance your organization’s protection against NTLM relay attacks. These measures can create robust, multi-layered protection for your Active Directory environment.

Step 1: Phase Out NTLM in Favor of Kerberos

Kerberos is a more robust and secure authentication protocol that effectively mitigates the vulnerabilities NTLM presents. Wherever possible, transition systems and applications away from NTLM to Kerberos as the primary authentication method.

Step 2: Enforce SMB Signing and EPA

Server Message Block (SMB) signing and Extended Protection for Authentication (EPA) add countermeasures that prevent attackers from intercepting and relaying NTLM authentication messages. Enforcing these protections across your network is a crucial defense.

Step 3: Data Extraction

Strategic network segmentation can hinder an attacker’s ability to move laterally within your environment, even if an initial NTLM relay attack is successful. By segregating critical assets and employing access controls, you can contain potential breaches and minimize damage. Cayosoft Guardian provides the in-depth Active Directory visibility necessary to make informed network segmentation decisions. It maps dependencies and identifies potential attack paths, enabling you to isolate high-value assets.

Step 4: Safeguard Privileged Accounts

Attackers often target privileged accounts in NTLM relay attacks because they unlock the most extensive access within the AD environment. Implementing the following specific safeguards is essential:
  • Use the Protected Users Group: This security group is useful for adding restrictions and protections for high-risk accounts.
  • Employ Strict Privilege Management: Enforce the principle of least privilege. Regularly audit accounts with elevated permissions and revoke unnecessary privileges.

Cayosoft Administrator can automate group memberships, update them when changes occur, and prevent inappropriate membership with rules and restrictive groups.

Step 5: Educate Users and Emphasize Password Hygiene

Users remain a prime target for attackers seeking to initiate NTLM relay attacks. Educate users on common cyber threats and tactics, and enforce strong password practices in these areas:
  • Password Complexity: Institute complex password requirements, and promote the use of a password manager.
  • Reuse Prevention: Discourage the reuse of passwords across different accounts and services.
  • Awareness Training: Educate users about phishing attacks, social engineering techniques, and the importance of reporting suspicious activity.

Detecting NTLM Relay Attacks

While the checklist above provides crucial security measures, it’s equally important to have robust detection capabilities. Should an NTLM relay attack slip through preventative defenses, the following strategies can help you identify it quickly:
  • Traffic Pattern Analysis: Monitor for unusual spikes in NTLM authentication traffic or unexpected authentication attempts from specific hosts. Look for sessions where a single source IP address authenticates to multiple systems in a short timeframe.
  • ARP Poisoning and Spoofing Detection: NTLM relay attacks often rely on techniques like ARP poisoning and network spoofing. Implement tools to identify these tactics, such as looking for changes in ARP tables or duplicate MAC addresses.
  • Intrusion Detection Systems (IDS): Configure IDS rules to detect the signatures of known NTLM relay attacks and associated tools. Alert on traffic patterns that could indicate a relay, such as authentication requests to unusual services or from unexpected machines.
  • Advanced Threat Analytics: Use behavioral analytics tools to identify patterns indicative of lateral movement, privilege escalation, or the use of compromised credentials, all of which can signify a successful relay attack.

Cayosoft Guardian performs threat scans specifically for NTLM relay vulnerability and actively monitors for changes being made that introduce the vulnerability or are taking advantage of the vulnerability.

Protect Active Directory from NTLM Relay Attacks with Cayosoft

NTLM relay attacks continue to evolve, posing a threat to Active Directory environments. By following the information in this article, organizations can substantially increase their resilience against these attacks. A multi-layered defense strategy that combines technical safeguards with proactive monitoring is essential. Partnering with a specialized Active Directory security solution like Cayosoft provides the visibility and advanced tools to protect your organization’s most critical asset: its identity infrastructure.


It’s impossible to guarantee complete prevention of all NTLM relay attacks, but organizations can dramatically reduce their risk by implementing a comprehensive defense strategy. This involves employing the mitigation steps outlined in the checklist above, staying informed about emerging attack methods, and using specialized Active Directory monitoring tools like Cayosoft.

Any Active Directory environment that still utilizes the NTLM protocol has some degree of vulnerability. The risk increases for organizations with legacy systems, outdated configurations, poorly managed privileges, or a lack of user awareness.

Detecting NTLM relay attacks in real time can be challenging. However, these signs might suggest that an attack is underway or has occurred:

  • Unusual authentication patterns from specific accounts (e.g., failed login attempts followed by successful access from a different location).
  • Unexpected activity from privileged accounts.
  • Authentication requests from systems that typically don’t use NTLM.

The first step is to gain visibility into your NTLM usage. Tools like Cayosoft Administrator can provide a detailed map of where NTLM is still present in your environment. This information allows you to strategically prioritize mitigation efforts, such as phasing out NTLM and enforcing security protocols like SMB signing.

Your Active Directory Could Be Vulnerable

Schedule a demo to learn more about how Cayosoft Guardian can protect your Active Directory from NTLM relay attacks.

Check out these relevant resources.

New Survey Finds...

Active Directory forest recovery not taken serious enough. See what else your peers had to say.