How to remediate – HTTP Host Information via NTLM SSP over HTTP(S)

1. Introduction

Nessus can obtain information about a host by examining the NTLM SSP message during authentication over HTTP. This vulnerability allows attackers to gather details about your network infrastructure, potentially aiding in further attacks. Systems using Windows operating systems and relying on NTLM authentication are typically affected. A successful exploit could lead to information disclosure impacting confidentiality.

2. Technical Explanation

The vulnerability occurs because the NTLM SSP challenge response includes HTTP host header information, which can be intercepted during authentication over unencrypted or poorly configured HTTP connections. An attacker can passively capture this data and use it to map internal network resources. There is no specific CVE associated with this issue as it’s more of a configuration weakness than a software flaw. For example, an attacker could intercept NTLM traffic from a user accessing an internal web application over HTTP to discover the hostname of that application server.

• Root cause: The NTLM SSP challenge includes the HTTP host header in plaintext.
• Exploit mechanism: An attacker passively captures NTLM authentication traffic and extracts the HTTP host header from the challenge response.
• Scope: Windows operating systems using NTLM authentication over HTTP or HTTPS without proper configuration are affected.

3. Detection and Assessment

To confirm vulnerability, check if NTLM authentication is being used over HTTP. A thorough method involves capturing network traffic during an NTLM authentication attempt.

• Quick checks: Use Wireshark or similar tools to monitor network traffic for NTLM authentication packets.
• Scanning: Nessus vulnerability scan can identify this issue.
• Logs and evidence: Review network capture logs for NTLM authentication attempts over HTTP (port 80).

wireshark -i  ntlm

4. Solution / Remediation Steps

The primary solution is to avoid using NTLM authentication over HTTP, and where unavoidable, ensure it’s used only with HTTPS. Consider migrating to more secure authentication protocols like Kerberos.

4.1 Preparation

• Ensure a rollback plan is in place by keeping the original configuration files. A change window may be needed for service restarts.

4.2 Implementation

1. Step 1: Disable NTLM authentication over HTTP where possible.
2. Step 2: Configure all services using NTLM to use HTTPS exclusively.
3. Step 3: Migrate applications and services to Kerberos for authentication if feasible.

4.3 Config or Code Example

Before

# Allow NTLM over HTTP (example IIS configuration)

  
    
      
        true
      
    
  

After

# Disable NTLM over HTTP (example IIS configuration)

  
    
      
        false
      
    
  

4.4 Security Practices Relevant to This Vulnerability

Several security practices can help prevent this issue. Least privilege reduces the impact of compromised credentials, while secure defaults ensure systems are configured securely out-of-the-box.

• Practice 1: Implement least privilege principles to limit access and reduce the potential damage from credential theft.
• Practice 2: Enforce secure defaults by disabling unnecessary protocols like NTLM over HTTP.

4.5 Automation (Optional)

# PowerShell example to disable NTLM over HTTP on IIS servers
# Requires elevated privileges
foreach ($server in @("Server1", "Server2")) {
  Invoke-Command -ComputerName $server -ScriptBlock {
    Set-ItemProperty -Path "HKLM:SYSTEMCurrentControlSetControlSecurityProvidersSCHANNELAuthenticationAllowedProtocols" -Name "NTLM" -Value ""
    Restart-Service W3SVC # Restart IIS to apply changes
  }
}

5. Verification / Validation

Confirm the fix by verifying that NTLM authentication is no longer used over HTTP. Re-run network captures and scanner checks to confirm the issue is resolved.

• Post-fix check: Use Wireshark to monitor network traffic; no NTLM packets should be visible on port 80.
• Re-test: Run Nessus scan again, and verify that the vulnerability is no longer reported.
• Smoke test: Ensure users can still access applications using HTTPS authentication.
• Monitoring: Monitor network traffic for any unexpected NTLM activity over HTTP.

wireshark -i  ntlm # Should return no results on port 80

6. Preventive Measures and Monitoring

Update security baselines to include disabling NTLM over HTTP, and integrate checks into CI/CD pipelines to prevent insecure configurations.

• Baselines: Update your security baseline or policy (e.g., CIS control) to explicitly prohibit NTLM authentication over HTTP.
• Pipelines: Add a check in your CI/CD pipeline to scan for and reject configurations allowing NTLM over HTTP.
• Asset and patch process: Review system configurations regularly to ensure compliance with security policies.

7. Risks, Side Effects, and Roll Back

• Roll back: Re-enable NTLM over HTTP by reversing the configuration changes made in Step 4.2, then restart affected services.

8. References and Resources

• Vendor advisory or bulletin: Microsoft NTLM Authentication Security Considerations
• NVD or CVE entry: Not applicable – configuration issue.
• Product or platform documentation relevant to the fix: IIS NTLM Authentication Configuration