Real-Time Detection Of PetitPotam (CVE-2021-36942) Vulnerability

PKI Spotlight in Action

Real-Time Detection Of PetitPotam (CVE-2021-36942) Vulnerability

Why does it matter?

PKI Spotlight automatically checks if your MS ADCS environment is vulnerable to the PetitPotam NTLM relay attack (CVE- 2021-36942) which could allow an attacker to completely take over an Active Directory Forest.

PKI Spotlight will monitor and alert when:

• NTLM authentication is allowed by the host and by Certificate Authority Web Enrollment website in IIS

OR when any of the following conditions exist:

• Extended Protection for Authentication (EPA) for Certificate Authority Web Enrollment is disabled
• Extended Protection for Authentication (EPA) for Certificate Enrollment Web Service is disabled
• The Certificate Authority Web Enrollment website in IIS is configured to accept non-TLS connections (HTTP vs HTTPS)

In addition, PKI Spotlight will provide Best Practice Recommendations on:

• Settings for Web.config file created by the Certificate Enrollment Web Service (CES) role
• How to disable NTLM authentication on Domain Controllers
• How to disable NTLM on any ADCS Servers using group policy