You can take the following steps to mitigate the threat in a vulnerable environment. But, these steps might carry additional considerations that increase the need for inclusive testing, and for administrators to be aware of the expected behavior in their environment after implementation. We always recommend applying vendor patching and security updates to address threats.
Microsoft has provided the following mitigation strategies, which can reduce the risk of
WebDAV-based attacks until the updated versions can be applied.
Customers can disable the
WebClient service running on their organizations machines, similar to the recommendation below of blocking TCP/445 traffic.
NOTE: This recommendation blocks all
WebDAV connections, including intranet, which might impact your users or applications.
The following mitigating factors might be helpful in your situation:
- Add users to the Protected Users Security Group, which prevents the use of NTLM as an authentication mechanism. Performing this mitigation makes troubleshooting easier than other methods of disabling NTLM. Consider using it for high-value accounts, such as Domain Admins, when possible.
NOTE: This action might cause impact to applications that require NTLM, but the settings will revert after the user is removed from the Protected Users Group. See Protected Users Security Group for more information.
- Block TCP 445/SMB outbound from your network by using a perimeter firewall, a local firewall, and via your VPN settings. This action prevents the transmission of NTLM authentication messages to remote file shares.