Until it is determined whether this attack can be relayed via WebDAV (i.e., via HTTP through your firewall even if it's blocking SMB), I would also disable the "Web Client" service on your Exchange server. /cc @wdormannhttps://twitter.com/certcc/status/1089570070693642240 …
-
Show this thread
-
Replying to @mkolsek
What's the scenario that you're looking to protect against here? One where a firewall exists between the attacker and the Exchange server, but there isn't one between the attacker and the Domain Controller?
2 replies 0 retweets 1 like -
This Tweet is unavailable.
-
IMO, the problem is because Exchange 2013 and later don't sign/seal the NTLM authentication request from the Exchange server. This allows an attacker to relay the request without needing to know the credentials of the Exchange server account.
2 replies 0 retweets 0 likes -
This Tweet is unavailable.
Exchange 2013 and later don't sign the NTLM request that goes out over HTTP. Exchange 2010 *does* sign that request, and is therefore not affected. Why the change? Nobody knows.
Loading seems to be taking a while.
Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.