Executive Summary
Summary | |
---|---|
Title | Extended Protection for Authentication |
Informations | |||
---|---|---|---|
Name | KB973811 | First vendor Publication | 2009-08-11 |
Vendor | Microsoft | Last vendor Modification | 2011-04-12 |
Severity (Vendor) | N/A | Revision | 1.1 |
Security-Database Scoring CVSS v3
Cvss vector : N/A | |||
---|---|---|---|
Overall CVSS Score | NA | ||
Base Score | NA | Environmental Score | NA |
impact SubScore | NA | Temporal Score | NA |
Exploitabality Sub Score | NA | ||
Calculate full CVSS 3.0 Vectors scores |
Security-Database Scoring CVSS v2
Cvss vector : | |||
---|---|---|---|
Cvss Base Score | Not Defined | Attack Range | Not Defined |
Cvss Impact Score | Not Defined | Attack Complexity | Not Defined |
Cvss Expoit Score | Not Defined | Authentication | Not Defined |
Calculate full CVSS 2.0 Vectors scores |
Detail
Microsoft is announcing the availability of a new feature, Extended Protection for Authentication, on the Windows platform. This feature enhances the protection and handling of credentials when authenticating network connections using Integrated Windows Authentication (IWA). The update itself does not directly provide protection against specific attacks such as credential forwarding, but allows applications to opt-in to Extended Protection for Authentication. This advisory briefs developers and system administrators on this new functionality and how it can be deployed to help protect authentication credentials. Mitigating Factors:
General InformationOverviewPurpose of Advisory: This advisory was released to announce to customers the release of a non-security update to make available a new feature, Extended Protection for Authentication, on the Windows platform. Advisory Status: Advisory published. Recommendation: Review the suggested actions and configure as appropriate.
This advisory announces the release of this feature for the following platforms.
Frequently Asked QuestionsWhat is the scope of the advisory? Is this a security vulnerability that requires Microsoft to issue a security update? What is Extended Protection for Windows Authentication? When Extended Protection for Authentication is enabled, authentication requests are bound to both the Service Principal Names (SPN) of the server the client attempts to connect to and to the outer Transport Layer Security (TLS) channel over which the IWA authentication takes place. This is a base update which enables applications to opt in to the new feature. Future updates will modify individual system components that perform IWA authentication so the components use this protection mechanism. Customers must install both the Microsoft Knowledge Base Article 968389 update and the respective application-specific updates for the client applications and servers on which Extended Protection for Authentication needs to be activated. Upon installation, Extended Protection for Authentication is controlled on the client through the use of registry keys. On the server, configuration is specific to the application. What other actions is Microsoft taking to implement this feature? Changes must be made to the specific server and client applications which use Integrated Windows Authentication (IWA) to ensure they opt in to this new protection technology. The updates released by Microsoft on August 11, 2009 are:
The update released by Microsoft on October 13, 2009 is:
The updates released by Microsoft on December 8, 2009 are:
The updates released by Microsoft on June 8, 2010 are:
The update released by Microsoft on September 14, 2010 is:
The update released by Microsoft on October 12, 2010 is:
The update released by Microsoft on December 29, 2010 is:
The update released by Microsoft on April 12, 2011 is:
Microsoft is planning to extend coverage by releasing future updates which will include additional Microsoft server and client applications into these protection mechanisms. This security advisory will be revised to contain updated information when such updates are released. How can developers embed this protection technology in their applications? Developers can find more information on how to use Extended Protection for Authentication technology in the following MSDN article, Integrated Windows Authentication with Extended Protection. How do I enable this feature? On the client, customers must implement the following registry key settings. Detailed instructions on enabling this registry key can be found in Microsoft Knowledge Base Article 968389.
On the server, Extended Protection for Authentication must be enabled on a per-service basis. The following overview shows how to enable Extended Protection for Authentication on the common protocols for which it is currently available: Telnet (KB960859) For Telnet, Extended Protection for Authentication can be enabled on the server by creating the DWORD registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\TelnetServer\1.0\ExtendedProtection. The default value of this key is Legacy. Set the key to one of the following values:
Detailed instructions on creating this registry key can be found in Microsoft Knowledge Base Article 960859. Internet Information Services (KB973917) For Internet Information Services, Extended Protection for Authentication can be enabled on the server through use of the IIS Configuration Manager, or by directly editing the ApplicationHost.Config configuration file. Detailed information on how to configure IIS can be found in Microsoft Knowledge Base Article 973917. What should I be aware of when deploying Extended Protection for Authentication? Customers must install the update contained in Microsoft Knowledge Base Article 968389, install the respective application updates on client and server computers, and correctly configure both computers to use the protection mechanism in order to be protected against credential forwarding attacks. When Extended Protection for Authentication is enabled on the client side, it is enabled for all applications using IWA. However, on the server it needs to be enabled on a per-application basis. Why is this not a security update that is announced in a security bulletin? This is a security advisory about a non-security update. Isnt that a contradiction? How is this update offered? Is this update distributed on Automatic Update? What versions of Windows are associated with this advisory? Suggested Actions
WorkaroundsA number of workarounds exist which help protect systems against credential reflection or credential forwarding. Microsoft has tested the following workarounds. Although these workarounds will not correct the underlying vulnerability, they help block known attack vectors. When a workaround reduces functionality, it is identified in the following section. Enable SMB signingEnabling SMB signing on the server prevents the attacker from accessing the server in the context of the logged-on user. This helps protect against credentials being forwarded to the SMB service. Microsoft recommends using Group Policies to configure SMB signing. For detailed instructions on using Group Policies to enable and disable SMB signing for Microsoft Windows 2000, Windows XP, and Windows Server 2003, see Microsoft Knowledge Base Article 887429. The instructions in Microsoft Knowledge Base Article 887429 for Windows XP and Windows Server 2003 also apply to Windows Vista and Windows Server 2008. Impact of Workaround: Using SMB packet signing can degrade performance with SMBv1 on file service transactions. Computers that have this policy set will not communicate with computers that do not have client-side packet signing enabled. For more information on SMB signing and potential impacts, see the MSDN article, "Microsoft network server: Digitally sign communications (always)". |
Original Source
Url : http://www.microsoft.com/technet/security/advisory/973811.mspx |
Alert History
Date | Informations |
---|---|
2013-02-06 19:08:08 |
|