Microsoft Security Advisory (973811)

Extended Protection for Authentication

Published: | Updated:

Version: 1.14

Microsoft is announcing the availability of a new feature, Extended Protection for Authentication, on the Windows platform. This feature enhances the protection and handling of credentials when authenticating network connections using Integrated Windows Authentication (IWA).

The update itself does not directly provide protection against specific attacks such as credential forwarding, but allows applications to opt-in to Extended Protection for Authentication. This advisory briefs developers and system administrators on this new functionality and how it can be deployed to help protect authentication credentials.

Mitigating Factors:

General Information

Overview

Frequently Asked Questions

Suggested Actions

Other Information

Acknowledgments

Microsoft thanks the following for working with us to help protect customers:

  • Mark Gamache of T-Mobile USA for working with us to help protect customers from attacks against NTLMv1 (NT LAN Manager version 1) and LAN Manager (LM) network authentication

Resources

Disclaimer

The information provided in this advisory is provided "as is" without warranty of any kind. Microsoft disclaims all warranties, either express or implied, including the warranties of merchantability and fitness for a particular purpose. In no event shall Microsoft Corporation or its suppliers be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages, even if Microsoft Corporation or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply.

Revisions

  • V1.0 (August 11, 2009): Advisory published.
  • V1.1 (October 14, 2009): Updated the FAQ with information about a non-security update included in MS09-054 relating to WinINET.
  • V1.2 (December 8, 2009): Updated the FAQ with information about three non-security updates relating to Windows HTTP Services, HTTP Protocol Stack, and Internet Information Services.
  • V1.3 (March 9, 2010): Updated the FAQ to announce the rerelease of the update that enables Internet Information Services to opt in to Extended Protection for Authentication. For more information, see Known issues in Microsoft Knowledge Base Article 973917.
  • V1.4 (April 14, 2010): Updated the Suggested Actions section to direct customers to the "What other actions is Microsoft taking to implement this feature?" entry in the section, Frequently Asked Questions.
  • V1.5 (June 8, 2010): Updated the FAQ with information about six non-security updates enabling .NET Framework to opt in to Extended Protection for Authentication.
  • V1.6 (September 14, 2010): Updated the FAQ with information about a non-security update enabling Outlook Express and Windows Mail to opt in to Extended Protection for Authentication.
  • V1.7 (October 12, 2010): Updated the FAQ with information about a non-security update enabling Windows Server Message Block (SMB) to opt in to Extended Protection for Authentication.
  • V1.8 (December 14, 2010): Updated the FAQ with information about a non-security update enabling Microsoft Outlook to opt in to Extended Protection for Authentication.
  • V1.9 (December 17, 2010): Removed the FAQ entry, originally added December 14, 2010, about a non-security update enabling Microsoft Outlook to opt in to Extended Protection for Authentication.
  • V1.10 (January 11, 2011): Updated the FAQ with information about a new release enabling Microsoft Office Live Meeting Service Portal to opt in to Extended Protection for Authentication.
  • V1.11 (January 12, 2011): Corrected the link to the release notes for Microsoft Office Live Meeting Service Portal in the FAQ.
  • V1.12 (April 12, 2011): Updated the FAQ with information about a non-security update enabling Microsoft Outlook to opt in to Extended Protection for Authentication.
  • V1.13 (October 31, 2012): Corrected the Mitigating Factors.
  • V1.14 (January 8, 2013): Updated the FAQ and Suggested Actions with information about attacks against NTLMv1 (NT LAN Manager version 1) and LAN Manager (LM) network authentication. Microsoft Fix it solutions for Windows XP and Windows Server 2003 are available to help protect against these attacks. Applying these Microsoft Fix it solutions enables NTLMv2 settings required for users to take advantage of Extended Protection for Authentication.