PKI Spotlight Feature
Real-Time Detection Of PetitPotam (CVE-2021-36942) Vulnerability

PKI Spotlight automatically checks if your MS ADCS environment is vulnerable to the PetitPotam NTLM relay attack (CVE- 2021-36942) which could allow an attacker to completely take over an Active Directory Forest.

PKI Spotlight in Action

Real-Time Detection Of PetitPotam (CVE-2021-36942) Vulnerability

Why does it matter?

PKI Spotlight automatically checks if your MS ADCS environment is vulnerable to the PetitPotam NTLM relay attack (CVE- 2021-36942) which could allow an attacker to completely take over an Active Directory Forest.

PKI Spotlight will monitor and alert when:

  • NTLM authentication is allowed by the host and by Certificate Authority Web Enrollment website in IIS

OR when any of the following conditions exist:

  • Extended Protection for Authentication (EPA) for Certificate Authority Web Enrollment is disabled 
  • Extended Protection for Authentication (EPA) for Certificate Enrollment Web Service is disabled 
  • The Certificate Authority Web Enrollment website in IIS is configured to accept non-TLS connections (HTTP vs HTTPS)

In addition, PKI Spotlight will provide Best Practice Recommendations on:

  • Settings for Web.config file created by the Certificate Enrollment Web Service (CES) role
  • How to disable NTLM authentication on Domain Controllers 
  • How to disable NTLM on any ADCS Servers using group policy
Posted in

Nick Sirikulbut