TechNet Home > TechNet Security > Security Advisories

Microsoft Security Advisory (973811)

Extended Protection for Authentication

Published: August 11, 2009 | Updated: October 14, 2009

Version: 1.1

Microsoft is announcing the availability of a new feature, Extended Protection for Authentication, on the Windows platform. This feature enhances the protection and handling of credentials when authenticating network connections using Integrated Windows Authentication (IWA).

The update itself does not directly provide protection against specific attacks such as credential forwarding, but allows applications to opt-in to Extended Protection for Authentication. This advisory briefs developers and system administrators on this new functionality and how it can be deployed to help protect authentication credentials.

Mitigating Factors:

Internet Explorer will never send credentials automatically to servers hosted in the Internet zone. This reduces the risk that credentials can be forwarded by an attacker within this zone.

Applications that use session signing and encryption (such as remote procedure call (RPC) with privacy and integrity, or server message block (SMB) with signing enabled) are not affected by credential forwarding.

General Information

Overview

Purpose of Advisory: This advisory was released to announce to customers the release of a non-security update to make available a new feature, Extended Protection for Authentication, on the Windows platform.

Advisory Status: Advisory published.

Recommendation:Review the suggested actions and configure as appropriate.

ReferencesIdentification

Microsoft Knowledge Base Article

Microsoft Knowledge Base Article 973811

This advisory announces the release of this feature for the following platforms.

Affected Software

Windows XP Service Pack 2 and Windows XP Service Pack 3
Windows XP for x64-based Systems Service Pack 2 and Windows XP for x64-based Systems Service Pack 3

Windows Server 2003 Service Pack 2
Windows Server 2003 for x64-based Systems Service Pack 2
Windows Server 2003 for Itanium-based Systems and Windows Server 2003 for Itanium-based Systems Service Pack 2

Windows Vista, Windows Vista Service Pack 1, and Windows Vista Service Pack 2
Windows Vista for x64-based Systems, Windows Vista for x64-based Systems Service Pack 1, and Windows Vista for x64-based Systems Service Pack 2

Windows Server 2008 for 32-bit Systems and Windows Server 2008 for 32-bit Systems Service Pack 2
Windows Server 2008 for x64-based Systems and Windows Server 2008 for x64-based Systems Service Pack 2
Windows Server 2008 for Itanium-based Systems and Windows Server 2008 for Itanium-based Systems Service Pack 2

Non-Affected Software

Windows 7 for 32-bit Systems
Windows 7 for x64-based Systems

Windows Server 2008 R2 for x64-based Systems
Windows Server 2008 R2 for Itanium-based Systems

Top of sectionTop of section

Frequently Asked Questions

What is the scope of the advisory?
Microsoft released this advisory to announce the release of a new feature, Extended Protection for Authentication, as an update to the Windows SSPI to help address credential forwarding.

Is this a security vulnerability that requires Microsoft to issue a security update?
No, this is not a security vulnerability that requires Microsoft to issue a security update. This feature requires optional configuration that some customers may choose to deploy. Enabling this feature is not appropriate for all customers. For more information about this feature and how to appropriately configure it, see Microsoft Knowledge Base Article 973811. This feature is already included in Windows 7 and Windows Server 2008 R2.

What is Extended Protection for Windows Authentication?
The update in Microsoft Knowledge Base Article 968389 modifies the SSPI in order to enhance the way Windows authentication works so that credentials are not easily forwarded when Integrated Windows Authentication (IWA) is enabled.

When Extended Protection for Authentication is enabled, authentication requests are bound to both the Service Principal Names (SPN) of the server the client attempts to connect to and to the outer Transport Layer Security (TLS) channel over which the IWA authentication takes place. This is a base update which enables applications to opt in to the new feature.

Future updates will modify individual system components that perform IWA authentication so the components use this protection mechanism. Customers must install both the Microsoft Knowledge Base Article 968389 update and the respective application-specific updates for the client applications and servers on which Extended Protection for Authentication needs to be activated. Upon installation, Extended Protection for Authentication is controlled on the client through the use of registry keys. On the server, configuration is specific to the application.

What other actions is Microsoft taking to implement this feature?

Changes must be made to the specific server and client applications which use Integrated Windows Authentication (IWA) to ensure they opt in to this new protection technology.

The updates released by Microsoft on August 11, 2009 are:

Microsoft Knowledge Base Article 968389 implements Extended Protection for Authentication in the Windows Security Support Provider Interface (SSPI). This update allows applications to opt in to Extended Protection for Authentication.

Microsoft Security Bulletin MS09-042 also contains a defense-in-depth non-security update which enables the Telnet client and server to opt in to Extended Protection for Authentication.

The update released by Microsoft on October 13, 2009 is:

Microsoft Security Bulletin MS09-054 contains a defense-in-depth, non-security update that enables WinINET to opt in to Extended Protection for Authentication.

Microsoft is planning to extend coverage by releasing future updates which will include additional Microsoft server and client applications into these protection mechanisms. This security advisory will be revised to contain updated information when such updates are released.

How can developers embed this protection technology in their applications?

Developers can find more information on how to use Extended Protection for Authentication technology in the following MSDN article, "Integrated Windows Authentication with Extended Protection".

How do I enable this feature?

On the client, customers must implement the following registry key settings.

Detailed instructions on enabling this registry key can be found in Microsoft Knowledge Base Article 968389.

Set the key HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\LSA\SuppressExtendedProtection to 0 to enable protection technology. By default, this key is set to 1 upon installation, disabling the protection.

Set the key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\LmCompatibilityLevel to 3. This is not the default on Windows XP and Windows Server 2003. This is an existing key which enables NTLMv2 Authentication. Extended protection for Windows authentication only applies to the NTLMv2 and Kerberos authentication protocols and does not apply to NTLMv1.

More information on enforcing NTLMv2 authentication and this key can be found in Microsoft Knowledge Base Article 239869.

On the server, Extended Protection for Authentication must be enabled on a per-service basis. The following overview shows how to enable Extended Protection for Authentication on the common protocols for which it is currently available:

Telnet (KB 960859)

For Telnet, Extended Protection for Authentication can be enabled on the server by creating the DWORD registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\TelnetServer\1.0\ExtendedProtection. The default value of this key is Legacy. Set the key to one of the following values:

Legacy: by setting the DWORD value to 0, Extended Protection for Authentication will be disabled on the server and no connections, even those of updated and correctly-configured clients, will be protected against credential forwarding attacks.

Allow Extended Protection: by setting the DWORD value to 1, the server will protect those client computers that have been configured to use the Extended Protection for Authentication mechanism against credential relaying attacks. Clients that have not been updated and correctly configured will not be protected.

Require Extended Protection: by setting the DWORD value to 2, the server will require clients to support Extended Protection for Authentication or will otherwise refuse authentication. Clients that do not have extended protection enabled will fail to authenticate against the server.

Detailed instructions on creating this registry key can be found in Microsoft Knowledge Base Article 960859.

What should I be aware of when deploying Extended Protection for Authentication?

Customers must install the update contained in Microsoft Knowledge Base Article 968389, install the respective application updates on client and server computers, and correctly configure both computers to use the protection mechanism in order to be protected against credential forwarding attacks.

When Extended Protection for Authentication is enabled on the client side, it is enabled for all applications using IWA. However, on the server it needs to be enabled on a per-application basis.

Why is this not a security update that is announced in a security bulletin? 
This update implements a new feature which may not be appropriate for all customers to enable. It provides an additional security feature which customers may choose to deploy based on their specific scenario.

This is a security advisory about a non-security update. Isn’t that a contradiction? 
Security advisories address security changes that may not require a security bulletin but may still affect customer’s overall security. Security advisories are a way for Microsoft to communicate security-related information to customers about issues that may not be classified as vulnerabilities and may not require a security bulletin, or about issues for which no security bulletin has been released. In this case, we are communicating the availability of an update that does not address a specific security vulnerability; rather, it addresses your overall security.

How is this update offered? 
These updates are available on the Microsoft Download Center. Direct links to the updates for specific affected software are listed in the Affected Software table in the Overview section. For more information about the update and the changes to behavior, see Microsoft Knowledge Base Article 968389.

Is this update distributed on Automatic Update? 
Yes. These updates are distributed over the Automatic Update mechanism.

What versions of Windows are associated with this advisory? 
The feature addressed in this advisory is being made available for all platforms listed in the Affected Software summary. This feature is present in all releases of Windows 7 and Windows Server 2008 R2.

Top of sectionTop of section

Suggested Actions

Review the Microsoft Knowledge Base Article that is associated with this advisory

Customers who are interested in learning more about this feature should review Microsoft Knowledge Base Article 973811.

Apply the updates associated with security bulletin MS09-042

Customers with affected systems can download the update from Microsoft Knowledge Base Article 968389. This update modifies the way that the Telnet service validates authentication replies in order to prevent the relay of credentials.

Protect Your PC

We continue to encourage customers to follow our Protect Your Computer guidance of enabling a firewall, getting software updates, and installing antivirus software. Customers can learn more about these steps by visiting Protect Your Computer.

For more information about staying safe on the Internet, customers should visit Microsoft Security Central.

Keep Windows Updated

All Windows users should apply the latest Microsoft security updates to help make sure that their computers are as protected as possible. If you are not sure whether your software is up to date, visit Windows Update, scan your computer for available updates, and install any high-priority updates that are offered to you. If you have Automatic Updates enabled, the updates are delivered to you when they are released, but you have to make sure you install them.

Workarounds

A number of workarounds exist which help protect systems against credential reflection or credential forwarding. Microsoft has tested the following workarounds. Although these workarounds will not correct the underlying vulnerability, they help block known attack vectors. When a workaround reduces functionality, it is identified in the following section.

Enable SMB signing

Enabling SMB signing on the server prevents the attacker from accessing the server in the context of the logged-on user. This helps protect against credentials being forwarded to the SMB service. Microsoft recommends using Group Policies to configure SMB signing.

For detailed instructions on using Group Policies to enable and disable SMB signing for Microsoft Windows 2000, Windows XP, and Windows Server 2003, see Microsoft Knowledge Base Article 887429. The instructions in Microsoft Knowledge Base Article 887429 for Windows XP and Windows Server 2003 also apply to Windows Vista and Windows Server 2008.

Impact of Workaround: Using SMB packet signing can degrade performance with SMBv1 on file service transactions. Computers that have this policy set will not communicate with computers that do not have client-side packet signing enabled. For more information on SMB signing and potential impacts, see the MSDN article, "Microsoft network server: Digitally sign communications (always)".

Top of sectionTop of section
Top of sectionTop of section
Top of sectionTop of section

Resources:

You can provide feedback by completing the form by visiting Microsoft Help and Support: Contact Us.

Customers in the United States and Canada can receive technical support from Security Support. For more information about available support options, see Microsoft Help and Support.

International customers can receive support from their local Microsoft subsidiaries. For more information about how to contact Microsoft for international support issues, visit International Support.

Microsoft TechNet Security provides additional information about security in Microsoft products.

Disclaimer:

The information provided in this advisory is provided "as is" without warranty of any kind. Microsoft disclaims all warranties, either express or implied, including the warranties of merchantability and fitness for a particular purpose. In no event shall Microsoft Corporation or its suppliers be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages, even if Microsoft Corporation or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply.

Revisions: 

V1.0 (August 11, 2009): Advisory published.

V1.1 (October 14, 2009): Updated the FAQ with information about a non-security update included in MS09-054 relating to WinINET.


Top of pageTop of page