Security Advisory
Microsoft Security Advisory 973811
Extended Protection for Authentication
Published: August 11, 2009 | Updated: January 08, 2013
Version: 1.14
Microsoft is announcing the availability of a new feature, Extended Protection for Authentication, on the Windows platform. This feature enhances the protection and handling of credentials when authenticating network connections using Integrated Windows Authentication (IWA).
The update itself does not directly provide protection against specific attacks such as credential forwarding, but allows applications to opt-in to Extended Protection for Authentication. This advisory briefs developers and system administrators on this new functionality and how it can be deployed to help protect authentication credentials.
Mitigating Factors:
- Applications that use session signing and encryption (such as remote procedure call (RPC) with privacy and integrity, or server message block (SMB) with signing enabled) are not affected by credential forwarding.
General Information
Overview
Purpose of Advisory: This advisory was released to announce to customers the release of a non-security update to make available a new feature, Extended Protection for Authentication, on the Windows platform.
Advisory Status: Advisory published.
Recommendation: Review the suggested actions and configure as appropriate.
References | Identification |
---|---|
Microsoft Knowledge Base Article | Microsoft Knowledge Base Article 973811 |
This advisory announces the release of this feature for the following platforms.
Frequently Asked Questions
What is the scope of the advisory?
Microsoft released this advisory to announce the release of a new feature, Extended Protection for Authentication, as an update to the Windows SSPI to help address credential forwarding.
Is this a security vulnerability that requires Microsoft to issue a security update?
No, this is not a security vulnerability that requires Microsoft to issue a security update. This feature requires optional configuration that some customers may choose to deploy. Enabling this feature is not appropriate for all customers. For more information about this feature and how to appropriately configure it, see Microsoft Knowledge Base Article 973811. This feature is already included in Windows 7 and Windows Server 2008 R2.
What is Extended Protection for Windows Authentication?
The update in Microsoft Knowledge Base Article 968389 modifies the SSPI in order to enhance the way Windows authentication works so that credentials are not easily forwarded when Integrated Windows Authentication (IWA) is enabled.
When Extended Protection for Authentication is enabled, authentication requests are bound to both the Service Principal Names (SPN) of the server the client attempts to connect to and to the outer Transport Layer Security (TLS) channel over which the IWA authentication takes place. This is a base update which enables applications to opt in to the new feature.
Future updates will modify individual system components that perform IWA authentication so the components use this protection mechanism. Customers must install both the Microsoft Knowledge Base Article 968389 update and the respective application-specific updates for the client applications and servers on which Extended Protection for Authentication needs to be activated. Upon installation, Extended Protection for Authentication is controlled on the client through the use of registry keys. On the server, configuration is specific to the application.
What other actions is Microsoft taking to implement this feature?
Changes must be made to the specific server and client applications which use Integrated Windows Authentication (IWA) to ensure they opt in to this new protection technology.
The updates released by Microsoft on August 11, 2009 are:
- Microsoft Knowledge Base Article 968389 implements Extended Protection for Authentication in the Windows Security Support Provider Interface (SSPI). This update allows applications to opt in to Extended Protection for Authentication.
- Microsoft Security Bulletin MS09-042 also contains a defense-in-depth, non-security update which enables the Telnet client and server to opt in to Extended Protection for Authentication.
The update released by Microsoft on October 13, 2009 is:
- Microsoft Security Bulletin MS09-054 contains a defense-in-depth, non-security update that enables WinINET to opt in to Extended Protection for Authentication.
The updates released by Microsoft on December 8, 2009 are:
- Microsoft Knowledge Base Article 971737 contains a non-security update that enables the Windows HTTP Services (WinHTTP) API to opt in to Extended Protection for Authentication.
- Microsoft Knowledge Base Article 970430 contains a non-security update that enables the HTTP Protocol Stack (http.sys) to opt in to Extended Protection for Authentication.
- Microsoft Knowledge Base Article 973917 contains a non-security update that enables Internet Information Services (IIS) to opt in to Extended Protection for Authentication. This update was rereleased on March 9, 2010. For more information, see Known issues in Microsoft Knowledge Base Article 973917.
The updates released by Microsoft on June 8, 2010 are:
- Microsoft Knowledge Base Article 982532 contains a non-security update that enables .NET Framework 2.0 Service Pack 2 on Windows Vista Service Pack 1 to opt in to Extended Protection for Authentication.
- Microsoft Knowledge Base Article 982533 contains a non-security update that enables .NET Framework 2.0 Service Pack 2 on Windows Vista Service Pack 2 to opt in to Extended Protection for Authentication.
- Microsoft Knowledge Base Article 982535 contains a non-security update that enables .NET Framework 2.0 Service Pack 2 + 3.0 Service Pack 2 on Windows Vista Service Pack 1 to opt in to Extended Protection for Authentication.
- Microsoft Knowledge Base Article 982536 contains a non-security update that enables .NET Framework 2.0 Service Pack 2 + 3.0 Service Pack 2 on Windows Vista Service Pack 2 to opt in to Extended Protection for Authentication.
- Microsoft Knowledge Base Article 982167 contains a non-security update that enables .NET Framework 2.0 Service Pack 2 on Windows XP and Windows Server 2003 to opt in to Extended Protection for Authentication.
- Microsoft Knowledge Base Article 982168 contains a non-security update that enables .NET Framework 2.0 Service Pack 2 + 3.0 Service Pack 2 on Windows XP and Windows Server 2003 to opt in to Extended Protection for Authentication.
The update released by Microsoft on September 14, 2010 is:
- Microsoft Knowledge Base Article 2141007 contains a non-security update that enables Outlook Express and Windows Mail to opt in to Extended Protection for Authentication.
The update released by Microsoft on October 12, 2010 is:
- Microsoft Knowledge Base Article 2345886 contains a non-security update that enables Windows Server Message Block (SMB) to opt in to Extended Protection for Authentication.
The update released by Microsoft on December 29, 2010 is:
- A new release of Microsoft Office Live Meeting Service Portal enables it to support Extended Protection for Authentication.
The update released by Microsoft on April 12, 2011 is:
- Microsoft Knowledge Base Article 2509470 contains a non-security update that enables Microsoft Outlook to opt in to Extended Protection for Authentication.
The Microsoft Fix it solutions released by Microsoft on January 8, 2013 are:
- Microsoft Knowledge Base Article 2793313 contains Microsoft Fix it solutions that set Windows XP and Windows Server 2003 systems to allow NTLMv2 only. Applying these Microsoft Fix it solutions enables NTLMv2 settings required for Windows XP and Windows Server 2003 users to take advantage of Extended Protection for Authentication.
Microsoft is planning to extend coverage by releasing future updates which will include additional Microsoft server and client applications into these protection mechanisms. This security advisory will be revised to contain updated information when such updates are released.
How can developers embed this protection technology in their applications?
Developers can find more information on how to use Extended Protection for Authentication technology in the following MSDN article, Integrated Windows Authentication with Extended Protection.
How do I enable this feature?
On the client, customers must implement the following registry key settings.
Detailed instructions on enabling this registry key can be found in Microsoft Knowledge Base Article 968389.
- Set the key HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\LSA\SuppressExtendedProtection to 0 to enable protection technology. By default, this key is set to 1 upon installation, disabling the protection.
- Set the key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\LmCompatibilityLevel to 3. This is not the default on Windows XP and Windows Server 2003. This is an existing key which enables NTLMv2 Authentication. Extended protection for Windows authentication only applies to the NTLMv2 and Kerberos authentication protocols and does not apply to NTLMv1. More information on enforcing NTLMv2 authentication and this key can be found in Microsoft Knowledge Base Article 239869.
On the server, Extended Protection for Authentication must be enabled on a per-service basis. The following overview shows how to enable Extended Protection for Authentication on the common protocols for which it is currently available:
Telnet (KB960859)
For Telnet, Extended Protection for Authentication can be enabled on the server by creating the DWORD registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\TelnetServer\1.0\ExtendedProtection. The default value of this key is Legacy. Set the key to one of the following values:
- Legacy: by setting the DWORD value to 0, Extended Protection for Authentication will be disabled on the server and no connections, even those of updated and correctly-configured clients, will be protected against credential forwarding attacks.
- Allow Extended Protection: by setting the DWORD value to 1, the server will protect those client computers that have been configured to use the Extended Protection for Authentication mechanism against credential relaying attacks. Clients that have not been updated and correctly configured will not be protected.
- Require Extended Protection: by setting the DWORD value to 2, the server will require clients to support Extended Protection for Authentication or will otherwise refuse authentication. Clients that do not have extended protection enabled will fail to authenticate against the server.
Detailed instructions on creating this registry key can be found in Microsoft Knowledge Base Article 960859.
Internet Information Services (KB973917)
For Internet Information Services, Extended Protection for Authentication can be enabled on the server through use of the IIS Configuration Manager, or by directly editing the ApplicationHost.Config configuration file. Detailed information on how to configure IIS can be found in Microsoft Knowledge Base Article 973917.
What should I be aware of when deploying Extended Protection for Authentication?
Customers must install the update contained in Microsoft Knowledge Base Article 968389, install the respective application updates on client and server computers, and correctly configure both computers to use the protection mechanism in order to be protected against credential forwarding attacks.
When Extended Protection for Authentication is enabled on the client side, it is enabled for all applications using IWA. However, on the server it needs to be enabled on a per-application basis.
Why is this not a security update that is announced in a security bulletin?
This update implements a new feature which may not be appropriate for all customers to enable. It provides an additional security feature which customers may choose to deploy based on their specific scenario.
This is a security advisory about a non-security update. Isn’t that a contradiction?
Security advisories address security changes that may not require a security bulletin but may still affect customer’s overall security. Security advisories are a way for Microsoft to communicate security-related information to customers about issues that may not be classified as vulnerabilities and may not require a security bulletin, or about issues for which no security bulletin has been released. In this case, we are communicating the availability of an update that does not address a specific security vulnerability; rather, it addresses your overall security.
How is this update offered?
These updates are available on the Microsoft Download Center. Direct links to the updates for specific affected software are listed in the Affected Software table in the Overview section. For more information about the update and the changes to behavior, see Microsoft Knowledge Base Article 968389.
Is this update distributed on Automatic Update?
Yes. These updates are distributed over the Automatic Update mechanism.
What versions of Windows are associated with this advisory?
The feature addressed in this advisory is being made available for all platforms listed in the Affected Software summary. This feature is present in all releases of Windows 7 and Windows Server 2008 R2.
Is Microsoft aware of detailed information and tools for attacks against NTLMv1 (NT LAN Manager version 1) and LAN Manager (LM) network authentication?
Yes. Microsoft is aware of detailed information and tools for attacks against NTLMv1 (NT LAN Manager version 1) and LAN Manager (LM) network authentication. Improvements in computer hardware and software algorithms have made these protocols vulnerable to widely published attacks for obtaining user passwords. The information and available toolsets specifically target environments that do not enforce NTLMv2 authentication.
Detailed information about Threats and Countermeasures for Windows Network Security and the LAN Manager Authentication Level is available on Microsoft TechNet in the Threats and Countermeasures Guide.
Microsoft strongly encourages customers to evaluate their environments and keep their network authentication settings updated. Microsoft recommends that NTLMv2 be implemented and that settings be implemented to reduce or eliminate the use of NTLMv1 and LM network authentication.
Suggested Actions
Review the Microsoft Knowledge Base Article that is associated with this advisory
Customers who are interested in learning more about this feature should review Microsoft Knowledge Base Article 973811.Apply and enable the non-security updates listed in this security advisory
Customers should review the list of non-security and security updates that Microsoft has released as part of this security update, and where appropriate, implement and configure these mechanisms. The list of available updates can be found in the What other actions is Microsoft taking to implement this feature? entry in the Frequently Asked Questions section of this advisory.Apply the Microsoft Fix it solutions described in Microsoft Knowledge Base Article 2793313
Microsoft recommends that environments that have Windows XP and Windows Server 2003 allow NTLMv2 only. This can be done by setting the LAN Manager Authentication Level to 3 or higher. See Microsoft Knowledge Base Article 2793313 for more information and to use the automated Microsoft Fix it solutions that set these systems to allow NTLMv2 only. Applying these Microsoft Fix it solutions also enables NTLMv2 settings required for users to take advantage of Extended Protection for Authentication.Protect Your PC
We continue to encourage customers to follow our Protect Your Computer guidance of enabling a firewall, getting software updates, and installing antivirus software. Customers can learn more about these steps by visiting Protect Your Computer. For more information about staying safe on the Internet, customers should visit Microsoft Security Central.Keep Windows Updated
All Windows users should apply the latest Microsoft security updates to help make sure that their computers are as protected as possible. If you are not sure whether your software is up to date, visit Windows Update, scan your computer for available updates, and install any high-priority updates that are offered to you. If you have Automatic Updates enabled, the updates are delivered to you when they are released, but you have to make sure you install them.
Workarounds
A number of workarounds exist which help protect systems against credential reflection or credential forwarding. Microsoft has tested the following workarounds. Although these workarounds will not correct the underlying vulnerability, they help block known attack vectors. When a workaround reduces functionality, it is identified in the following section.
Enable SMB signing
Enabling SMB signing on the server prevents the attacker from accessing the server in the context of the logged-on user. This helps protect against credentials being forwarded to the SMB service. Microsoft recommends using Group Policies to configure SMB signing.
For detailed instructions on using Group Policies to enable and disable SMB signing for Microsoft Windows 2000, Windows XP, and Windows Server 2003, see Microsoft Knowledge Base Article 887429. The instructions in Microsoft Knowledge Base Article 887429 for Windows XP and Windows Server 2003 also apply to Windows Vista and Windows Server 2008.
Impact of Workaround: Using SMB packet signing can degrade performance with SMBv1 on file service transactions. Computers that have this policy set will not communicate with computers that do not have client-side packet signing enabled. For more information on SMB signing and potential impacts, see the MSDN article, "Microsoft network server: Digitally sign communications (always)".
Other Information
Acknowledgments
Microsoft thanks the following for working with us to help protect customers:
- Mark Gamache of T-Mobile USA for working with us to help protect customers from attacks against NTLMv1 (NT LAN Manager version 1) and LAN Manager (LM) network authentication
Resources
- You can provide feedback by completing the form by visiting Microsoft Help and Support: Contact Us.
- Customers in the United States and Canada can receive technical support from Security Support. For more information about available support options, see Microsoft Help and Support.
- International customers can receive support from their local Microsoft subsidiaries. For more information about how to contact Microsoft for international support issues, visit International Support.
- Microsoft TechNet Security provides additional information about security in Microsoft products.
Disclaimer
The information provided in this advisory is provided "as is" without warranty of any kind. Microsoft disclaims all warranties, either express or implied, including the warranties of merchantability and fitness for a particular purpose. In no event shall Microsoft Corporation or its suppliers be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages, even if Microsoft Corporation or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply.
Revisions
- V1.0 (August 11, 2009): Advisory published.
- V1.1 (October 14, 2009): Updated the FAQ with information about a non-security update included in MS09-054 relating to WinINET.
- V1.2 (December 8, 2009): Updated the FAQ with information about three non-security updates relating to Windows HTTP Services, HTTP Protocol Stack, and Internet Information Services.
- V1.3 (March 9, 2010): Updated the FAQ to announce the rerelease of the update that enables Internet Information Services to opt in to Extended Protection for Authentication. For more information, see Known issues in Microsoft Knowledge Base Article 973917.
- V1.4 (April 14, 2010): Updated the Suggested Actions section to direct customers to the "What other actions is Microsoft taking to implement this feature?" entry in the section, Frequently Asked Questions.
- V1.5 (June 8, 2010): Updated the FAQ with information about six non-security updates enabling .NET Framework to opt in to Extended Protection for Authentication.
- V1.6 (September 14, 2010): Updated the FAQ with information about a non-security update enabling Outlook Express and Windows Mail to opt in to Extended Protection for Authentication.
- V1.7 (October 12, 2010): Updated the FAQ with information about a non-security update enabling Windows Server Message Block (SMB) to opt in to Extended Protection for Authentication.
- V1.8 (December 14, 2010): Updated the FAQ with information about a non-security update enabling Microsoft Outlook to opt in to Extended Protection for Authentication.
- V1.9 (December 17, 2010): Removed the FAQ entry, originally added December 14, 2010, about a non-security update enabling Microsoft Outlook to opt in to Extended Protection for Authentication.
- V1.10 (January 11, 2011): Updated the FAQ with information about a new release enabling Microsoft Office Live Meeting Service Portal to opt in to Extended Protection for Authentication.
- V1.11 (January 12, 2011): Corrected the link to the release notes for Microsoft Office Live Meeting Service Portal in the FAQ.
- V1.12 (April 12, 2011): Updated the FAQ with information about a non-security update enabling Microsoft Outlook to opt in to Extended Protection for Authentication.
- V1.13 (October 31, 2012): Corrected the Mitigating Factors.
- V1.14 (January 8, 2013): Updated the FAQ and Suggested Actions with information about attacks against NTLMv1 (NT LAN Manager version 1) and LAN Manager (LM) network authentication. Microsoft Fix it solutions for Windows XP and Windows Server 2003 are available to help protect against these attacks. Applying these Microsoft Fix it solutions enables NTLMv2 settings required for users to take advantage of Extended Protection for Authentication.
Built at 2014-04-18T13:49:36Z-07:00