Differences in Windows Authentication Between Windows Operating Systems
Updated: April 11, 2013
Applies To: Windows 7, Windows Server 2008, Windows Server 2008 R2, Windows Vista
This reference topic describes the significant differences in the Windows authentication architecture and processes.
The following sections list the significant differences in Windows Authentication for each of the Windows versions and points to the relevant documentation. The Windows Server 2003 and Windows XP operating systems are used as baselines. For more information, see Windows Server 2003 Authentication Architecture in this collection.
Windows Server 2008 R2 and Windows 7 authentication architecture
For a summary of authentication architecture and processes for Windows Server 2008 R2 and Windows 7, see Windows Server 2008 R2 and Windows 7 Authentication Architecture.
Changes from previous version
-
TLS has been improved to support hash negotiation, certificate hash or signature control, and Suite B−compliant cipher suites.
Changes in Credential Management
Credential management in Windows 7 has changed to give more responsibility to the end user and to allow the operating system to store and present credentials. Users can compose a list of credential associations that allow a single logon experience to access a variety of systems, programs, or other legitimate resources.
Changes in Kerberos Authentication
Both Data Encryption Standard (DES) cipher suites (DES-CBC-MD5 and DES-CBC-CRC) are disabled by default in Windows 7. The following cipher suites are enabled by default in Windows 7 and Windows Server 2008 R2:
AES256-CTS-HMAC-SHA1-96
AES128-CTS-HMAC-SHA1-96
RC4-HMAC
-
The Net Logon service maintains trust relationships and connections (called secure channel) between client computers and domain controllers in domains or between domain controllers in trusted domains. It is implemented as a Security Support Provider (SSP) and, prior to Windows 7, used MD5 and RC4 as cryptography algorithms for remote procedure calls and MD5 and DES for the client.
Windows 7 adds the capability of using AES128 and SHA256 to the Net Logon client and to the Net Logon SSP.
Changes in NTLM Authentication
In Windows Server 2008 R2 and Windows 7, NTLM-based minimum session security policy is set to require a minimum of 128-bit encryption for both client computers and servers for new installations of Windows. This requires that all network devices and operating systems using NTLM support 128-bit encryption. Existing session security will be retained when upgrading Windows from an earlier Windows version.
Introducing the Restriction of NTLM Authentication
New Group Policy settings in Windows Server 2008 R2 and Windows 7permit the auditing and restriction of NTLM protocol usage on clients, servers, and domain controllers. These policies can be configured on computers running Windows Server 2008 R2 and Windows 7, which can affect NTLM usage on computers running earlier versions of Windows.
Introducing Extensions to the Negotiate Authentication Package
NegoExts (NegoExts.dll) is an authentication package that negotiates the use of Security Support Providers (SSPs) for applications and scenarios implemented by Microsoft and other software companies. This extension to the Negotiate package permits the following scenarios:
Rich client availability within a federated system.
Rich client support for Microsoft Office Live.
Hosted Microsoft Exchange Server and Outlook.
Rich client availability between client computers and servers.
Introducing Online Identity Integration
In Windows 7, users in a small network, such as a home network, can elect to share data, such as media files, between selected computers on a per-user basis. This feature complements the Homegroup feature in Windows 7 by using online IDs to identify individuals within the home networks. Users must explicitly link their Windows user account to an online ID to allow this authentication. The inclusion of the Public Key Cryptography Based User-to-User (PKU2U) protocol in Windows permits the authentication to occur by using certificates.
-
Public Key Cryptography Based User-to-User (PKU2U) Security Support Provider (SSP) enables peer-to-peer authentication, particularly through the Windows 7 media and file sharing feature called Homegroup, which permits sharing between computers that are not members of a domain.
Introducing the Windows Biometric Service
In Windows Server 2008 R2 and Windows 7, administrators and users use fingerprint biometric devices to log on to computers, grant elevation privileges through User Account Control (UAC), and perform basic management of the fingerprint devices. Administrators can manage fingerprint biometric devices in Group Policy settings by enabling, limiting, or blocking their use.
Modern authentication protection
Extended Protection for Authentication enhances the protection and handling of credentials when authenticating network connections by using Integrated Windows Authentication (IWA). Extended Protection is included by default in the is included in Windows Server 2008 R2 and Windows 7 but still available for legacy systems. For information about how to update legacy systems, see Extended Protection for Authentication.
Windows Server 2008 and Windows Vista authentication architecture
For a summary of authentication architecture and processes for Windows Server 2008 and Windows Vista, see Windows Server 2008 and Windows Vista Authentication Architecture.
Changes from previous version
Backup and Restore of Stored User Names and Passwords
Windows Vista includes a Backup and Restore Wizard that allows users to back up user names and passwords that they have requested Windows to remember for them. This new functionality allows users to restore the user names and passwords on any computer running Windows Vista. Restoring a backup file on a different computer allows users to effectively roam or move their saved user names and passwords.
Credential Security Service Provider and SSO for Terminal Services Logon
Credential Security Service Provider (CredSSP) enables applications to delegate user credentials from the client computer (by using the client-side security service provider) to the target server (through the server-side security service provider) based on client policies. CredSSP policies are configured through Group Policy, and delegation of credentials is turned off by default.
TLS/SSL Cryptographic Enhancements
Advanced Encryption Standard (AES) has become a standard for National Institute of Standards and Technology (NIST). To ease the process of bulk encryption, cipher suites that support AES have been added.
-
Advanced Encryption Standard: The improvement enables the use of AES 128 and AES 256 encryption with the Kerberos authentication protocol. In Windows Server 2008 and Windows Vista, the base Kerberos protocol supports AES for encryption of ticket-granting tickets (TGTs), service tickets, and session keys. In addition, Generic Security Service (GSS) messages (which conduct client/server communications) support AES.
Smart Card Authentication Changes
To better support smart card deployments, the range of allowable certificates has been increased.
-
This security policy setting enables users to determine whether their accounts were used (or were attempted to be used) without their knowledge.
Extended Protection for Authentication
Extended Protection for Authentication enhances the protection and handling of credentials when authenticating network connections by using Integrated Windows Authentication (IWA).