Microsoft Security Advisory 2871997

Update to Improve Credentials Protection and Management

Published: May 13, 2014 | Updated: February 9, 2016

Version: 5.0

General Information

Executive Summary

Microsoft is announcing the availability of updates for supported editions of Windows 7, Windows Server 2008 R2, Windows 8, Windows Server 2012, Windows RT, Windows 8.1, Windows Server 2012 R2, and Windows RT 8.1 that improve credential protection and domain authentication controls to reduce credential theft.

Recommendation. Microsoft recommends that customers apply these updates immediately using update management software, or by checking for updates using the Microsoft Update service. These updates can be installed in any order.

  • On May 13, 2014, Microsoft released the 2871997 update for supported editions of Windows 8, Windows RT, Windows Server 2012, Windows 7, and Windows Server 2008 R2 that improves credential protection and domain authentication controls to reduce credential theft. This update provides additional protection for the Local Security Authority (LSA), adds a restricted admin mode for Credential Security Support Provider (CredSSP), introduces support for the protected account-restricted domain user category, and enforces stricter authentication policies for Windows 7, Windows Server 2008 R2, Windows 8, and Windows Server 2012 machines as clients. For more information about this update, including download links, see Microsoft Knowledge Base Article 2871997.

Note

Note Supported editions of Windows 8.1, Windows Server 2012 R2, and Windows RT 8.1 already include these features and do not need the 2871997 update.

  • On July 8, 2014, Microsoft released the 2973351 update for supported editions of Windows 7, Windows Server 2008 R2, Windows 8, Windows Server 2012, and Windows RT, and for supported editions of Windows 8.1, Windows Server 2012 R2, and Windows RT 8.1 that have the 2919355 (Windows 8.1 Update) update installed. Microsoft released the 2975625 update for supported editions of Windows 8.1 and Windows Server 2012 R2 that do not have the 2919355 (Windows 8.1 Update) update installed. The update provides configurable registry settings for managing the Restricted Admin mode for Credential Security Support Provider (CredSSP). For more information about this update, including download links, see Microsoft Knowledge Base Article 2973351 and Microsoft Knowledge Base Article 2975625.

Note

Note. The update changes default Restricted Admin mode functionality for Windows 8.1, Windows Server 2012 R2, and Windows RT 8.1. See the Advisory FAQ section for details.

  • On September 9, 2014, Microsoft released the 2982378 update for supported editions of Windows 7 and Windows Server 2008 R2. The update adds additional protection for users’ credentials when logging on to a Windows 7 or Windows Server 2008 R2 system by ensuring that credentials are cleaned up immediately instead of waiting until a Kerberos TGT (Ticket Granting Ticket) has been obtained. For more information about this update, including download links, see Microsoft Knowledge Base Article 2982378.

     

  • On October 14, 2014, Microsoft released the following updates. The applicable updates add a restricted admin mode for Remote Desktop Connection and Remote Desktop Protocol:

    • 2984972 for supported editions of Windows 7 and Windows Server 2008 R2
    • 2984976 for supported editions of Windows 7 and Windows Server 2008 R2 that have update 2592687 (Remote Desktop Protocol (RDP) 8.0 update) installed. Customers who install update 2984976 must also install update 2984972.
    • 2984981 for supported editions of Windows 7 and Windows Server 2008 R2 that have update 2830477 (Remote Desktop Connection (RDC) 8.1 client update) installed. Customers who install update 2984981 must also install update 2984972.
    • 2973501 for supported editions of Windows 8, Windows Server 2012, and Windows RT.

Note

Note Supported editions of Windows 8.1, Windows Server 2012 R2, and Windows RT 8.1 already include this feature and do not need this update.

  • On February 9, 2016, Microsoft released update 3126593 for supported editions of Windows 7, Windows Server 2008 R2, Windows 8, Windows RT, and Windows Server 2012. The update enables the Restricted Admin mode for Credential Security Support Provider (CredSSP) by default. This feature will force clear a user logon session after logoff. For more information about this update, see Microsoft Knowledge Base Article 2973351.

Applicable Software

This advisory discusses the following software.

Operating System
Windows 7 for 32-bit Systems Service Pack 1
Windows 7 for x64-based Systems Service Pack 1
Windows Server 2008 R2 for x64-based Systems Service Pack 1
Windows Server 2008 R2 for Itanium-Based Systems Service Pack 1
Windows 8 for 32-bit Systems
Windows 8 for x64-based Systems
Windows 8.1 for 32-bit Systems
Windows 8.1 for x64-based Systems
Windows Server 2012
Windows Server 2012 R2
Windows RT
Windows RT 8.1
Server Core installation option
Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation)
Windows Server 2012 (Server Core installation)
Windows Server 2012 R2 (Server Core installation)

 

Advisory FAQ

What is the scope of the advisory? 
The purpose of this advisory is to notify customers that updates are available for Windows 7, Windows Server 2008 R2, Windows 8, Windows Server 2012, Windows RT, Windows 8.1, Windows Server 2012 R2, and Windows RT 8.1 that provide additional protection and management for credentials.

What systems are primarily at risk from credential theft? 
Enterprise environments where Windows domains are deployed are primarily at risk. Servers could be at more risk if administrators allow users to log on to servers and to run programs. However, best practices strongly discourage allowing this.

For update 2973351 and update 2975625 are there any changes to functionality?
Yes. The default behavior for Restricted Admin mode has changed on Windows 8.1, Windows Server 2012 R2, and Windows RT 8.1. Restricted Admin mode is now turned off by default; if you want to use this functionality, then you will need to re-enable it after installing update 2973351 or 2975625. Previously, Restricted Admin mode was on by default. For information about how to enable Restricted Admin mode, see Microsoft Knowledge Base Article 2973351 or Microsoft Knowledge Base Article 2975625.

Update 2973351 does not change the default behavior on supported editions of Windows 7, Windows Server 2008 R2, Windows 8, Windows 2012, or Windows RT. The Restricted Admin mode is off by default for these operating systems.

Do updates 2973351 or 2975625 replace update 2871997? 
No. Update 2871997 is required to install either update 2973351 or 2975625. These updates provide configurable registry settings for the Restricted Admin mode that was added when you installed update 2871997.

There are multiple updates listed for Windows 8.1 and Windows Server 2012 R2. Do I need to install all the updates? 
No. Depending on how your system is configured to receive updates, only one of the updates for Windows 8.1 or Windows Server 2012 R2 will apply.

For systems running Windows 8.1 or Windows Server 2012 R2:

Update 2973351 is for systems that already have the 2919355 (Windows 8.1 Update) update installed.

Update 2975625 is for systems without the 2919355 update installed. Note that the 2975625 updates only available for customers managing updates using Windows Server Update Services (WSUS), Windows Intune, or System Center Configuration Manager.

For Windows 8.1, Windows Server 2012 R2, or Window RT 8.1 are there any prerequisites for the 2973351 update?
Yes. Customers running Windows 8.1, Windows Server 2012 R2, or Windows RT 8.1 must first install the 2919355 (Windows 8.1 Update) update released in April, 2014 before installing the 2973351 update. For more information about the prerequisite update, see Microsoft Knowledge Base Article 2919355.

Do I need to install all of the security updates that have been released for this advisory? 
Yes. Customers should apply all updates offered for the software installed on their system to get all of the credential protection features.

What are the expected deployment scenarios?
While these changes will improve credential protection on all systems they are most useful in an enterprise environment where Windows domains are deployed. Some of these changes are dependent on features available in a Windows Server 2012 R2-based domain, and other changes are useful in all enterprise environments.

What is Local Security Authority Subsystem Service (LSASS)?
Local Security Authority Subsystem Service (LSASS) provides an interface for managing local security, domain authentication, and Active Directory processes. It handles authentication for the client and for the server. It also contains features that are used to support Active Directory utilities.

What is the Local Security Authority (LSA)?
The Local Security Authority (LSA), which resides within the Local Security Authority Security Service (LSASS) process, validates users for local and remote sign-ins and enforces local security policies.

What does this update do? 
This update enhances credential protection and domain authentication controls to reduce credential theft by making improvements in four areas:

  • Restricted Admin mode for Credential Security Support Provider (CredSSP)

    Applications can be written to use this change in order to connect to a remote server without transmitting credentials to the host server. This prevents your credentials from being harvested during the initial connection process if the server has been compromised.

    When the host verifies that the user account connecting to it has administrator rights and supports Restricted Admin mode, the connection succeeds. Otherwise, the connection attempt fails. Restricted Admin mode does not at any point send plain text or other re-usable forms of credentials to remote computers.

    Two registry key settings can be configured to manage the Restricted Admin mode. The DisableRestrictedAdmin key is used to enable or disable Restricted Admin mode. If Restricted Admin mode is enabled, the DisableRestrictedAdminOutboundCreds is used to enable or disable the ability for a user connected to a system using Remote Desktop with Restricted Admin mode from automatically authenticating to remote resources using the local machine account.

  • Credential cleanup in LSA 

    This feature reduces the attack surface of domain credentials in the LSA. Changes to this feature include: prevent network logon and remote interactive logon to domain-joined machine using local accounts, restrict logon credential cache to logon lifetime, restrict Kerberos/NTLM/Digest/CredSSP supplied credential cache, restrict Kerberos cache of plain text password, do not cache logon credential in CredSSP unless Credentials Delegation policy allows, and restrict use of logon credential for Digest.

  • Protected Users security group

    This feature adds support for the Protected Users security group that was introduced in Windows 8.1 and Windows Server 2012 R2. This support is applicable to domain member machines in a Windows Server 2012 R2-based domain.

    Members of the Protected Users group are limited further by the following methods of authentication:

    • A member of the Protected Users group can only sign on using the Kerberos protocol. The account cannot authenticate using NTLM, Digest Authentication, or CredSSP. On a device running Windows 8, passwords are not cached, so the device that uses any one of these Security Support Providers (SSPs) will fail to authenticate to a domain when the account is a member of the Protected User group.
    • The Kerberos protocol will not use the weaker DES or RC4 encryption types in the pre-authentication process. This means that the domain must be configured to support at least the AES cypher suite.
    • The user’s account cannot be delegated with Kerberos constrained or unconstrained delegation. This means that former connections to other systems may fail if the user is a member of the Protected Users group.
  • Restricted Admin mode for Remote Desktop Connection

    This feature adds support for Restricted Admin Mode to Remote Desktop Connection and Remote Desktop Protocol on Windows 7, Windows Server 2008 R2, Windows 8, and Windows Server 2012 that was introduced in Windows 8.1 and Windows Server 2012 R2.

    • Restricted Admin mode provides a method of interactively logging on to a remote host server without transmitting your credentials to the server. This prevents your credentials from being harvested during the initial connection process if the server has been compromised.
    • Using this mode with administrator credentials, the remote desktop client attempts to interactively logon to a host that also supports this mode without sending credentials. When the host verifies that the user account connecting to it has administrator rights and supports Restricted Admin mode, the connection succeeds. Otherwise, the connection attempt fails. Restricted Admin mode does not at any point send plain text or other re-usable forms of credentials to remote computers.
    • For more information, see What's New in Remote Desktop Services in Windows Server.

Other Information

Microsoft Active Protections Program (MAPP)

To improve security protections for customers, Microsoft provides vulnerability information to major security software providers in advance of each monthly security update release. Security software providers can then use this vulnerability information to provide updated protections to customers via their security software or devices, such as antivirus, network-based intrusion detection systems, or host-based intrusion prevention systems. To determine whether active protections are available from security software providers, please visit the active protections websites provided by program partners, listed in Microsoft Active Protections Program (MAPP) Partners.

Feedback

Support

Disclaimer

The information provided in this advisory is provided "as is" without warranty of any kind. Microsoft disclaims all warranties, either express or implied, including the warranties of merchantability and fitness for a particular purpose. In no event shall Microsoft Corporation or its suppliers be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages, even if Microsoft Corporation or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply.

Revisions

  • V1.0 (May 13, 2014): Advisory published.
  • V2.0 (July 8, 2014): Rereleased advisory to announce the release of updates 2973351 and 2919355 to provide further control over the Restricted Admin settings. Depending on the software installed on their system, customers should apply either 2973351 or 2919355 immediately. See Updates Related to this Advisory and Advisory FAQ for details.
  • V3.0 (September 9, 2014): Rereleased advisory to announce the release of update 2982378 to provide additional protection for users’ credentials when logging on to a Windows 7 or Windows Server 2008 R2 system. See Updates Related to this Advisory for details.
  • V4.0 (October 14, 2014): Rereleased advisory to announce the release of updates that provide additional protection for users’ credentials when logging on to a remote host server. See Updates Related to this Advisory and Advisory FAQ for details.
  • V5.0 (February 9, 2016): Rereleased advisory to announce the release of update 3126593 to enable the Restricted Admin mode for Credential Security Support Provider (CredSSP) by default. See Updates Related to this Advisory for details.

Page generated 2016-02-04 14:22Z-08:00.