Microsoft Security Advisory (974926)
Credential Relaying Attacks on Integrated Windows Authentication
This advisory addresses the potential for attacks that affect the handling of credentials using Integrated Windows Authentication (IWA), and the mechanisms Microsoft has made available for customers to help protect against these attacks.
In these attacks, an attacker who is able to obtain the user's authentication credentials while being transferred between a client and a server would be able to reflect these credentials back to a service running on the client, or forward them to another server on which the client has a valid account. This would allow the attacker to gain access to these resources, impersonating the client. Since IWA credentials are hashed, an attacker cannot use this to ascertain the actual username and password.
Depending on the scenario and the use of additional attack vectors, an attacker may be able to obtain authentication credentials both inside and outside of the organization’s security perimeter and utilize them to gain inappropriate access to resources.
Microsoft is addressing the potential impact of these issues at different levels and wants to make customers aware of the tools that have been made available to address these issues, and the impact of using these tools. This advisory contains information on the different actions Microsoft has taken to improve protection of IWA authentication credentials, and how customers can deploy these safeguards.
- In order to relay credentials, an attacker would need to successfully leverage another vulnerability to execute a man-in-the-middle attack, or to convince the victim, using social engineering, to connect to a server under the attacker's control, for instance by sending a link in a malicious e-mail message.
- Internet Explorer does not automatically send credentials using HTTP to servers hosted in the Internet zone. This reduces the risk that credentials can be forwarded or reflected by an attacker within this zone.
- Inbound traffic must be allowed to the client system for a reflection attack to succeed. The most common attack vector is SMB, as it allows IWA authentication. Hosts behind a firewall that blocks SMB traffic, or hosts that block SMB traffic on a host firewall are not vulnerable to the most common NTLM reflection attacks, which target SMB.
- You can provide feedback by completing the form by visiting Microsoft Help and Support: Contact Us.
- Customers in the United States and Canada can receive technical support from Security Support. For more information about available support options, see Microsoft Help and Support.
- International customers can receive support from their local Microsoft subsidiaries. For more information about how to contact Microsoft for international support issues, visit International Support.
- Microsoft TechNet Security provides additional information about security in Microsoft products.
The information provided in this advisory is provided "as is" without warranty of any kind. Microsoft disclaims all warranties, either express or implied, including the warranties of merchantability and fitness for a particular purpose. In no event shall Microsoft Corporation or its suppliers be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages, even if Microsoft Corporation or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply.
- V1.0 (December 8, 2009): Advisory published.