Microsoft Security Advisory 2871997
Update to Improve Credentials Protection and Management
Published: May 13, 2014 | Updated: July 8, 2014
Microsoft is announcing the availability of updates for supported editions of Windows 7, Windows Server 2008 R2, Windows 8, Windows Server 2012, Windows RT, Windows 8.1, Windows Server 2012 R2, and Windows RT 8.1 that improve credential protection and domain authentication controls to reduce credential theft.
Recommendation. Microsoft recommends that customers apply these updates immediately using update management software, or by checking for updates using the Microsoft Update service. These updates can be installed in any order.
- On May 13, 2014, Microsoft released the 2871997 update for supported editions of Windows 8, Windows RT, Windows Server 2012, Windows 7, and Windows Server 2008 R2 that improves credential protection and domain authentication controls to reduce credential theft. This update provides additional protection for the Local Security Authority (LSA), adds a restricted admin mode for Credential Security Support Provider (CredSSP), introduces support for the protected account-restricted domain user category, and enforces stricter authentication policies for Windows 7, Windows Server 2008 R2, Windows 8, and Windows Server 2012 machines as clients. For more information about this update, including download links, see Microsoft Knowledge Base Article 2871997.
Note Supported editions of Windows 8.1, Windows Server 2012 R2, and Windows RT 8.1 already include these features and do not need the 2871997 update.
- On July 8, 2014, Microsoft released the 2973351 update for supported editions of Windows 7, Windows Server 2008 R2, Windows 8, Windows Server 2012, and Windows RT, and for supported editions of Windows 8.1, Windows Server 2012 R2, and Windows RT 8.1 that have the 2919355 (Windows 8.1 Update) update installed. Microsoft released the 2975625 update for supported editions of Windows 8.1 and Windows Server 2012 R2 that do not have the 2919355 (Windows 8.1 Update) update installed. The update provides configurable registry settings for managing the Restricted Admin mode for Credential Security Support Provider (CredSSP). For more information about this update, including download links, see Microsoft Knowledge Base Article 2973351 and Microsoft Knowledge Base Article 2975625.
Note. The update changes default Restricted Admin mode functionality for Windows 8.1, Windows Server 2012 R2, and Windows RT 8.1. See the Advisory FAQ section for details.
This advisory discusses the following software.
Windows 7 for 32-bit Systems Service Pack 1
Windows 7 for x64-based Systems Service Pack 1
Windows Server 2008 R2 for x64-based Systems Service Pack 1
Windows Server 2008 R2 for Itanium-Based Systems Service Pack 1
Windows 8 for 32-bit Systems
Windows 8 for x64-based Systems
Windows 8.1 for 32-bit Systems
Windows 8.1 for x64-based Systems
Windows Server 2012
Windows Server 2012 R2
Windows RT 8.1
Server Core installation option
Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation)
Windows Server 2012 (Server Core installation)
Windows Server 2012 R2 (Server Core installation)
What is the scope of the advisory?
The purpose of this advisory is to notify customers that updates are available for Windows 7, Windows Server 2008 R2, Windows 8, Windows Server 2012, Windows RT, Windows 8.1, Windows Server 2012 R2, and Windows RT 8.1 that provide additional protection and management for credentials.
What systems are primarily at risk from credential theft?
Enterprise environments where Windows domains are deployed are primarily at risk. Servers could be at more risk if administrators allow users to log on to servers and to run programs. However, best practices strongly discourage allowing this.
For update 2973351 and update 2975625 are there any changes to functionality?
Yes. The default behavior for Restricted Admin mode has changed on Windows 8.1, Windows Server 2012 R2, and Windows RT 8.1. Restricted Admin mode is now turned off by default, and you will need to enable it again after you install update 2973351 or 2975625 if needed. Previously, Restricted Admin mode was on by default. For information about how to enable Restricted Admin mode, see Microsoft Knowledge Base Article 2973351 or Microsoft Knowledge Base Article 2975625.
Update 2973351 does not change the default behavior on supported editions of Windows 7, Windows Server 2008 R2, Windows 8, Windows 2012, or Windows RT. The Restricted Admin mode is off by default for these operating systems.
Do updates 2973351 or 2975625 replace update 2871997?
No. Update 2871997 is required to install either update 2973351 or 2975625. These updates provide configurable registry settings for the Restricted Admin mode that was added when you installed update 2871997.
There are multiple updates listed for Windows 8.1 and Windows Server 2012 R2. Do I need to install all the updates?
No. Depending on how your system is configured to receive updates, only one of the updates for Windows 8.1 or Windows Server 2012 R2 will apply.
For systems running Windows 8.1 or Windows Server 2012 R2:
Update 2973351 is for systems that already have the 2919355 (Windows 8.1 Update) update installed.
Update 2975625 is for systems without the 2919355 update installed. Note that the 2975625 updates only available for customers managing updates using Windows Server Update Services (WSUS), Windows Intune, or System Center Configuration Manager.
For Windows 8.1, Windows Server 2012 R2, or Window RT 8.1 are there any prerequisites for the 2973351 update?
Yes. Customers running Windows 8.1, Windows Server 2012 R2, or Windows RT 8.1 must first install the 2919355 (Windows 8.1 Update) update released in April, 2014 before installing the 2973351 update. For more information about the prerequisite update, see Microsoft Knowledge Base Article 2919355.
Do I need to install all of the security updates that have been released for this advisory?
Yes. Customers should apply all updates offered for the software installed on their system to get all of the credential protection features.
What are the expected deployment scenarios?
While these changes will improve credential protection on all systems they are most useful in an enterprise environment where Windows domains are deployed. Some of these changes are dependent on features available in a Windows Server 2012 R2-based domain, and other changes are useful in all enterprise environments.
What is Local Security Authority Subsystem Service (LSASS)?
Local Security Authority Subsystem Service (LSASS) provides an interface for managing local security, domain authentication, and Active Directory processes. It handles authentication for the client and for the server. It also contains features that are used to support Active Directory utilities.
What is the Local Security Authority (LSA)?
The Local Security Authority (LSA), which resides within the Local Security Authority Security Service (LSASS) process, validates users for local and remote sign-ins and enforces local security policies.
What does this update do?
This update enhances credential protection and domain authentication controls to reduce credential theft by making improvements in four areas:
Restricted Admin mode for Credential Security Support Provider (CredSSP)
Applications can be written to use this change in order to connect to a remote server without transmitting credentials to the host server. This prevents your credentials from being harvested during the initial connection process if the server has been compromised.
- When the host verifies that the user account connecting to it has administrator rights and supports Restricted Admin mode, the connection succeeds. Otherwise, the connection attempt fails. Restricted Admin mode does not at any point send plain text or other re-usable forms of credentials to remote computers.
- Two registry key settings can be configured to manage the Restricted Admin mode. The DisableRestrictedAdmin key is used to enable or disable Restricted Admin mode. If Restricted Admin mode is enabled, the DisableRestrictedAdminOutboundCreds is used to enable or disable the ability for a user connected to a system using Remote Desktop with Restricted Admin mode from automatically authenticating to remote resources using the local machine account.
Credential cleanup in LSA
This feature reduces the attack surface of domain credentials in the LSA. Changes to this feature include: prevent network logon and remote interactive logon to domain-joined machine using local accounts, restrict logon credential cache to logon lifetime, restrict Kerberos/NTLM/Digest/CredSSP supplied credential cache, restrict Kerberos cache of plain text password, do not cache logon credential in CredSSP unless Credentials Delegation policy allows, and restrict use of logon credential for Digest.
Protected Users security group
This feature adds support for the Protected Users security group that was introduced in Windows 8.1 and Windows Server 2012 R2. This support is applicable to domain member machines in a Windows Server 2012 R2-based domain.
Members of the Protected Users group are limited further by the following methods of authentication:
- A member of the Protected Users group can only sign on using the Kerberos protocol. The account cannot authenticate using NTLM, Digest Authentication, or CredSSP. On a device running Windows 8, passwords are not cached, so the device that uses any one of these Security Support Providers (SSPs) will fail to authenticate to a domain when the account is a member of the Protected User group.
- The Kerberos protocol will not use the weaker DES or RC4 encryption types in the pre-authentication process. This means that the domain must be configured to support at least the AES cypher suite.
- The user’s account cannot be delegated with Kerberos constrained or unconstrained delegation. This means that former connections to other systems may fail if the user is a member of the Protected Users group.
Microsoft Active Protections Program (MAPP)
To improve security protections for customers, Microsoft provides vulnerability information to major security software providers in advance of each monthly security update release. Security software providers can then use this vulnerability information to provide updated protections to customers via their security software or devices, such as antivirus, network-based intrusion detection systems, or host-based intrusion prevention systems. To determine whether active protections are available from security software providers, please visit the active protections websites provided by program partners, listed in Microsoft Active Protections Program (MAPP) Partners.
- You can provide feedback by completing the Microsoft Help and Support form, Customer Service Contact Us.
- Customers in the United States and Canada can receive technical support from Security Support. For more information, see Microsoft Help and Support.
- International customers can receive support from their local Microsoft subsidiaries. For more information, see International Support.
- Microsoft TechNet Security provides additional information about security in Microsoft products.
The information provided in this advisory is provided "as is" without warranty of any kind. Microsoft disclaims all warranties, either express or implied, including the warranties of merchantability and fitness for a particular purpose. In no event shall Microsoft Corporation or its suppliers be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages, even if Microsoft Corporation or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply.
- V1.0 (May 13, 2014): Advisory published.
- V2.0 (July 8, 2014): Rereleased advisory to announce the release of updates 2973351 and 2919355 to provide further control over the Restricted Admin settings. Depending on the software installed on their system, customers should apply either 2973351 or 2919355 immediately. See Updates Related to this Advisory and Advisory FAQ for details.