Microsoft KB2871997: Back-Porting Windows 8.1/Win2012R2 Enhanced Security & Pass The Hash Mitigation to Windows 7, Windows 8, & Windows 2008R2

In June 2014, Microsoft released KB2871997 which takes many of the enhanced security protection mechanisms built into Windows 8.1 & Windows Server 2012 R2 and “back-ports” them to Windows 7, Windows 8, Windows Server 2008R2, and Windows Server 2012.

The enhanced security features reduce the credential data stored in memory and supports modern authentication (Kerberos AES). There are two primary logon types, interactive and network.

An Interactive logon occurs when a user enters their logon credentials at the logon prompt, typically when sitting in front of a computer (or when connecting to Terminal Services or Remote Desktop Protocol, RDP, services). This logon type results in the user’s credential being stored in memory, often in various forms: Kerberos tickets, NTLM hash, LM Hash (if the password is less than 15 characters long), and even the clear-text password is stored. Mimikatz is a tool that can extract credentials in LSASS protected memory as well as the local Windows Security Accounts Manager (SAM). Read the ADSecurity.org Unofficial Guide to Mimikatz & Command Reference for more information on Mimikatz capability, usage, detection, and mitigation.

The second type is a Network logon where the user’s credentials are transparently passed to the service on the destination system in order to gain access; note that the user does not have to explicitly enter credentials, they are “passed” to the target service and verified (typically using Kerberos or NTLM). With this logon type, the user’s credentials are not sent to the system hosting the service; therefore, the credentials are not stored on the destination system. This means any service receiving network logons leverages “pass the hash” for single sign on (SSO).

Note: This post uses WDigest and Digest authentication interchangeably. Also, this patch doesn’t stop Pass-the-Hash, it does help harden Windows against standard attack methods such as clear-text password dumping, RDP credential theft, and lateral movement using local Administrator accounts.

Update: KB2871997 includes the client components of Restricted Admin Mode Remote Desktop Client (mstsc /RestrictedAdmin). There was a patch released at the end of 2014 that includes the server components of Restricted Admin Mode for earlier versions of Windows.

These protections include:

• “Protected Users” Group Support (forces Kerberos authentication enforcing AES encryption)
  • The Protected Users group is created when the Domain Functional Level is set to Windows Server 2012 R2.
  • Accounts in the Protected Users group may only authenticate using the Kerberos protocol, denying NTLM, Digest, and CredSSP.
  • Kerberos refuses DES and RC4 encrpytion types for pre-authentication – the domain must be configured to support AES or higher.
  • A Protected User’s account cannot be delegated with Kerberos constrained or unconstrained delegation.
  • Protected Users work well with “Authentication Policies and Silos“.
• Restricted Admin RDP Mode Remote Desktop Client support (mstsc /RestrictedAdmin)
  
  • Restricted Admin RDP mode is enhanced security to protect administrator credentials – this mode is not available for users (“Remote Desktop Users”).
  • As noted above before this update, RDP logon was an interactive logon, where only after the user provided the user name and password did he/she gain access. Logging on to a RDP host in this manner places the user credentials in memory on the RDP host where they may be stolen if the host is compromised.
  • This update enables RDP to support network logon where the user’s existing logon token may be passed for authentication for RDP access. Using this logon type ensures that the user’s credentials do not exist on the RDP server.
  • This effectively provides the option to send credentials to the system you are connecting to via RDP (credentials are stored in memory on RDP host) or a “token” is sent to the RDP host keeping the credentials off the RDP host.
  • Note: Restricted Admin connections impersonate the computer account for remote connections, so the connected admin may only access shares to which the computer has access.
  • Microsoft recommends Restricted Admin be leveraged in scenarios where help desk users RDP to a workstation to resolve an issue, ensuring the elevated credentials of the help desk are not placed on the workstation (this requires the workstation to be Windows 8.1 or higher).
  • This update does not back-port Restricted Admin RDP server mode to operating systems prior to Windows 8.1 and Windows Server 2012 R2.
• Pass The Hash Enhanced Protection
  • Removal of Credentials at Logoff
    • Windows caches user credentials (clear-text password, NTLM password hash, Kerberos TGT/Session key) in memory (the LSASS process) when the user logs on. At logoff, these credentials should be cleared from memory, but this didn’t always occur. This update ensures credentials are cleared after log-off.
  • New well-known SIDs
    • LOCAL_ACCOUNT (S-1-5-113) – any local account
    • LOCAL_ACCOUNT_AND_MEMBER_OF_ADMINISTRATORS_GROUP (S-1-5-114) – any local account that is a member of the administrators group.
    • Configuring the new well-known SIDs in a Group Policy with the settings “Deny access to this computer from the network” and “Deny log on through Remote Desktop Services” prevents local accounts from connecting over the network.
  • Clear-text credentials removed from LSASS
    • Disabled by default for compatibility reasons. Clear-text passwords are stored in memory (LSASS) to primarily support WDigest authentication.
    • Enable this feature to prevent clear-text credentials from being stored in memory (LSASS).
    • Enable this feature by setting the Registry key “UseLogonCredential” to “0” (dword) located in:
      HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\WDigest “UseLogonCredential”
      On Windows 8.1/Windows 2012 R2, this value is set to 0 (Digest disabled). The patch sets the value to 1 on earlier versions of Windows for backwards compatibility (Digest enabled).
      
    • The NT Hash and Kerberos keys are still stored in memory (LSASS).
    • Check event logs on the Domain Controllers (Event ID 4776) and on all servers (Event ID 4624) to determine if WDigest is still in use. Look for “Authentication Package: WDigest”.

References:

• An overview of KB2871997 (Joe Bialok’s post to the Microsoft Security Research and Defense Blog)
• Microsoft Security Advisory: Update to improve credentials protection and management: May 13, 2014
• Security Update for Windows 7 for x64-based Systems (KB2871997) – disables clear-text passwords in LSASS for WDigest support
• 2.4.2.4 Well-Known SID Structures