Executive Summary

Summary
Title Extended Protection for Authentication
Informations
Name KB973811 First vendor Publication 2009-08-11
Vendor Microsoft Last vendor Modification 2011-04-12
Severity (Vendor) N/A Revision 1.1

Security-Database Scoring CVSS v3

Cvss vector : N/A
Overall CVSS Score NA
Base Score NA Environmental Score NA
impact SubScore NA Temporal Score NA
Exploitabality Sub Score NA
 
Calculate full CVSS 3.0 Vectors scores

Security-Database Scoring CVSS v2

Cvss vector :
Cvss Base Score Not Defined Attack Range Not Defined
Cvss Impact Score Not Defined Attack Complexity Not Defined
Cvss Expoit Score Not Defined Authentication Not Defined
Calculate full CVSS 2.0 Vectors scores

Detail

Microsoft is announcing the availability of a new feature, Extended Protection for Authentication, on the Windows platform. This feature enhances the protection and handling of credentials when authenticating network connections using Integrated Windows Authentication (IWA).

The update itself does not directly provide protection against specific attacks such as credential forwarding, but allows applications to opt-in to Extended Protection for Authentication. This advisory briefs developers and system administrators on this new functionality and how it can be deployed to help protect authentication credentials.

Mitigating Factors:

  • Internet Explorer will never send credentials automatically to servers hosted in the Internet zone. This reduces the risk that credentials can be forwarded by an attacker within this zone.
  • Applications that use session signing and encryption (such as remote procedure call (RPC) with privacy and integrity, or server message block (SMB) with signing enabled) are not affected by credential forwarding.

General Information

Overview

Purpose of Advisory: This advisory was released to announce to customers the release of a non-security update to make available a new feature, Extended Protection for Authentication, on the Windows platform.

Advisory Status: Advisory published.

Recommendation: Review the suggested actions and configure as appropriate.

ReferencesIdentification
Microsoft Knowledge Base ArticleMicrosoft Knowledge Base Article 973811

This advisory announces the release of this feature for the following platforms.

Affected Software
Windows XP Service Pack 2 and Windows XP Service Pack 3
Windows XP for x64-based Systems Service Pack 2 and Windows XP for x64-based Systems Service Pack 3
Windows Server 2003 Service Pack 2
Windows Server 2003 for x64-based Systems Service Pack 2
Windows Server 2003 for Itanium-based Systems and Windows Server 2003 for Itanium-based Systems Service Pack 2
Windows Vista, Windows Vista Service Pack 1, and Windows Vista Service Pack 2
Windows Vista for x64-based Systems, Windows Vista for x64-based Systems Service Pack 1, and Windows Vista for x64-based Systems Service Pack 2
Windows Server 2008 for 32-bit Systems and Windows Server 2008 for 32-bit Systems Service Pack 2
Windows Server 2008 for x64-based Systems and Windows Server 2008 for x64-based Systems Service Pack 2
Windows Server 2008 for Itanium-based Systems and Windows Server 2008 for Itanium-based Systems Service Pack 2
Non-Affected Software
Windows 7 for 32-bit Systems
Windows 7 for x64-based Systems
Windows Server 2008 R2 for x64-based Systems
Windows Server 2008 R2 for Itanium-based Systems

Frequently Asked Questions

What is the scope of the advisory?
Microsoft released this advisory to announce the release of a new feature, Extended Protection for Authentication, as an update to the Windows SSPI to help address credential forwarding.

Is this a security vulnerability that requires Microsoft to issue a security update?
No, this is not a security vulnerability that requires Microsoft to issue a security update. This feature requires optional configuration that some customers may choose to deploy. Enabling this feature is not appropriate for all customers. For more information about this feature and how to appropriately configure it, see Microsoft Knowledge Base Article 973811. This feature is already included in Windows 7 and Windows Server 2008 R2.

What is Extended Protection for Windows Authentication?
The update in Microsoft Knowledge Base Article 968389 modifies the SSPI in order to enhance the way Windows authentication works so that credentials are not easily forwarded when Integrated Windows Authentication (IWA) is enabled.

When Extended Protection for Authentication is enabled, authentication requests are bound to both the Service Principal Names (SPN) of the server the client attempts to connect to and to the outer Transport Layer Security (TLS) channel over which the IWA authentication takes place. This is a base update which enables applications to opt in to the new feature.

Future updates will modify individual system components that perform IWA authentication so the components use this protection mechanism. Customers must install both the Microsoft Knowledge Base Article 968389 update and the respective application-specific updates for the client applications and servers on which Extended Protection for Authentication needs to be activated. Upon installation, Extended Protection for Authentication is controlled on the client through the use of registry keys. On the server, configuration is specific to the application.

What other actions is Microsoft taking to implement this feature?

Changes must be made to the specific server and client applications which use Integrated Windows Authentication (IWA) to ensure they opt in to this new protection technology.

The updates released by Microsoft on August 11, 2009 are:

  • Microsoft Knowledge Base Article 968389 implements Extended Protection for Authentication in the Windows Security Support Provider Interface (SSPI). This update allows applications to opt in to Extended Protection for Authentication.
  • Microsoft Security Bulletin MS09-042 also contains a defense-in-depth, non-security update which enables the Telnet client and server to opt in to Extended Protection for Authentication.

The update released by Microsoft on October 13, 2009 is:

  • Microsoft Security Bulletin MS09-054 contains a defense-in-depth, non-security update that enables WinINET to opt in to Extended Protection for Authentication.

The updates released by Microsoft on December 8, 2009 are:

  • Microsoft Knowledge Base Article 971737 contains a non-security update that enables the Windows HTTP Services (WinHTTP) API to opt in to Extended Protection for Authentication.
  • Microsoft Knowledge Base Article 970430 contains a non-security update that enables the HTTP Protocol Stack (http.sys) to opt in to Extended Protection for Authentication.
  • Microsoft Knowledge Base Article 973917 contains a non-security update that enables Internet Information Services (IIS) to opt in to Extended Protection for Authentication. This update was rereleased on March 9, 2010. For more information, see Known issues in Microsoft Knowledge Base Article 973917.

The updates released by Microsoft on June 8, 2010 are:

  • Microsoft Knowledge Base Article 982532 contains a non-security update that enables .NET Framework 2.0 Service Pack 2 on Windows Vista Service Pack 1 to opt in to Extended Protection for Authentication.
  • Microsoft Knowledge Base Article 982533 contains a non-security update that enables .NET Framework 2.0 Service Pack 2 on Windows Vista Service Pack 2 to opt in to Extended Protection for Authentication.
  • Microsoft Knowledge Base Article 982535 contains a non-security update that enables .NET Framework 2.0 Service Pack 2 + 3.0 Service Pack 2 on Windows Vista Service Pack 1 to opt in to Extended Protection for Authentication.
  • Microsoft Knowledge Base Article 982536 contains a non-security update that enables .NET Framework 2.0 Service Pack 2 + 3.0 Service Pack 2 on Windows Vista Service Pack 2 to opt in to Extended Protection for Authentication.
  • Microsoft Knowledge Base Article 982167 contains a non-security update that enables .NET Framework 2.0 Service Pack 2 on Windows XP and Windows Server 2003 to opt in to Extended Protection for Authentication.
  • Microsoft Knowledge Base Article 982168 contains a non-security update that enables .NET Framework 2.0 Service Pack 2 + 3.0 Service Pack 2 on Windows XP and Windows Server 2003 to opt in to Extended Protection for Authentication.

The update released by Microsoft on September 14, 2010 is:

  • Microsoft Knowledge Base Article 2141007 contains a non-security update that enables Outlook Express and Windows Mail to opt in to Extended Protection for Authentication.

The update released by Microsoft on October 12, 2010 is:

  • Microsoft Knowledge Base Article 2345886 contains a non-security update that enables Windows Server Message Block (SMB) to opt in to Extended Protection for Authentication.

The update released by Microsoft on December 29, 2010 is:

  • A new release of Microsoft Office Live Meeting Service Portal enables it to support Extended Protection for Authentication.

The update released by Microsoft on April 12, 2011 is:

  • Microsoft Knowledge Base Article 2509470 contains a non-security update that enables Microsoft Outlook to opt in to Extended Protection for Authentication.

Microsoft is planning to extend coverage by releasing future updates which will include additional Microsoft server and client applications into these protection mechanisms. This security advisory will be revised to contain updated information when such updates are released.

How can developers embed this protection technology in their applications?

Developers can find more information on how to use Extended Protection for Authentication technology in the following MSDN article, Integrated Windows Authentication with Extended Protection.

How do I enable this feature?

On the client, customers must implement the following registry key settings.

Detailed instructions on enabling this registry key can be found in Microsoft Knowledge Base Article 968389.

  • Set the key HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\LSA\SuppressExtendedProtection to 0 to enable protection technology. By default, this key is set to 1 upon installation, disabling the protection.
  • Set the key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\LmCompatibilityLevel to 3. This is not the default on Windows XP and Windows Server 2003. This is an existing key which enables NTLMv2 Authentication. Extended protection for Windows authentication only applies to the NTLMv2 and Kerberos authentication protocols and does not apply to NTLMv1.

    More information on enforcing NTLMv2 authentication and this key can be found in Microsoft Knowledge Base Article 239869.

On the server, Extended Protection for Authentication must be enabled on a per-service basis. The following overview shows how to enable Extended Protection for Authentication on the common protocols for which it is currently available:

Telnet (KB960859)

For Telnet, Extended Protection for Authentication can be enabled on the server by creating the DWORD registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\TelnetServer\1.0\ExtendedProtection. The default value of this key is Legacy. Set the key to one of the following values:

  • Legacy: by setting the DWORD value to 0, Extended Protection for Authentication will be disabled on the server and no connections, even those of updated and correctly-configured clients, will be protected against credential forwarding attacks.
  • Allow Extended Protection: by setting the DWORD value to 1, the server will protect those client computers that have been configured to use the Extended Protection for Authentication mechanism against credential relaying attacks. Clients that have not been updated and correctly configured will not be protected.
  • Require Extended Protection: by setting the DWORD value to 2, the server will require clients to support Extended Protection for Authentication or will otherwise refuse authentication. Clients that do not have extended protection enabled will fail to authenticate against the server.

Detailed instructions on creating this registry key can be found in Microsoft Knowledge Base Article 960859.

Internet Information Services (KB973917)

For Internet Information Services, Extended Protection for Authentication can be enabled on the server through use of the IIS Configuration Manager, or by directly editing the ApplicationHost.Config configuration file. Detailed information on how to configure IIS can be found in Microsoft Knowledge Base Article 973917.

What should I be aware of when deploying Extended Protection for Authentication?

Customers must install the update contained in Microsoft Knowledge Base Article 968389, install the respective application updates on client and server computers, and correctly configure both computers to use the protection mechanism in order to be protected against credential forwarding attacks.

When Extended Protection for Authentication is enabled on the client side, it is enabled for all applications using IWA. However, on the server it needs to be enabled on a per-application basis.

Why is this not a security update that is announced in a security bulletin?
This update implements a new feature which may not be appropriate for all customers to enable. It provides an additional security feature which customers may choose to deploy based on their specific scenario.

This is a security advisory about a non-security update. Isnt that a contradiction?
Security advisories address security changes that may not require a security bulletin but may still affect customers overall security. Security advisories are a way for Microsoft to communicate security-related information to customers about issues that may not be classified as vulnerabilities and may not require a security bulletin, or about issues for which no security bulletin has been released. In this case, we are communicating the availability of an update that does not address a specific security vulnerability; rather, it addresses your overall security.

How is this update offered?
These updates are available on the Microsoft Download Center. Direct links to the updates for specific affected software are listed in the Affected Software table in the Overview section. For more information about the update and the changes to behavior, see Microsoft Knowledge Base Article 968389.

Is this update distributed on Automatic Update?
Yes. These updates are distributed over the Automatic Update mechanism.

What versions of Windows are associated with this advisory?
The feature addressed in this advisory is being made available for all platforms listed in the Affected Software summary. This feature is present in all releases of Windows 7 and Windows Server 2008 R2.

Suggested Actions

  • Review the Microsoft Knowledge Base Article that is associated with this advisory

    Customers who are interested in learning more about this feature should review Microsoft Knowledge Base Article 973811.

  • Apply and enable the non-security updates listed in this security advisory

    Customers should review the list of non-security and security updates that Microsoft has released as part of this security update, and where appropriate, implement and configure these mechanisms. The list of available updates can be found in the What other actions is Microsoft taking to implement this feature? entry in the Frequently Asked Questions section of this advisory.

  • Protect Your PC

    We continue to encourage customers to follow our Protect Your Computer guidance of enabling a firewall, getting software updates, and installing antivirus software. Customers can learn more about these steps by visiting Protect Your Computer.

    For more information about staying safe on the Internet, customers should visit Microsoft Security Central.

  • Keep Windows Updated

    All Windows users should apply the latest Microsoft security updates to help make sure that their computers are as protected as possible. If you are not sure whether your software is up to date, visit Windows Update, scan your computer for available updates, and install any high-priority updates that are offered to you. If you have Automatic Updates enabled, the updates are delivered to you when they are released, but you have to make sure you install them.

Workarounds

A number of workarounds exist which help protect systems against credential reflection or credential forwarding. Microsoft has tested the following workarounds. Although these workarounds will not correct the underlying vulnerability, they help block known attack vectors. When a workaround reduces functionality, it is identified in the following section.

Enable SMB signing

Enabling SMB signing on the server prevents the attacker from accessing the server in the context of the logged-on user. This helps protect against credentials being forwarded to the SMB service. Microsoft recommends using Group Policies to configure SMB signing.

For detailed instructions on using Group Policies to enable and disable SMB signing for Microsoft Windows 2000, Windows XP, and Windows Server 2003, see Microsoft Knowledge Base Article 887429. The instructions in Microsoft Knowledge Base Article 887429 for Windows XP and Windows Server 2003 also apply to Windows Vista and Windows Server 2008.

Impact of Workaround: Using SMB packet signing can degrade performance with SMBv1 on file service transactions. Computers that have this policy set will not communicate with computers that do not have client-side packet signing enabled. For more information on SMB signing and potential impacts, see the MSDN article, "Microsoft network server: Digitally sign communications (always)".

Original Source

Url : http://www.microsoft.com/technet/security/advisory/973811.mspx

Alert History

If you want to see full details history, please login or register.
0
Date Informations
2013-02-06 19:08:08
  • Multiple Updates