{"id":559,"date":"2014-11-21T23:26:00","date_gmt":"2014-11-22T04:26:00","guid":{"rendered":"http:\/\/adsecurity.org\/?p=559"},"modified":"2016-02-19T15:40:26","modified_gmt":"2016-02-19T20:40:26","slug":"microsoft-kb2871997-back-porting-windows-8-1win2012r2-enhanced-security-pass-the-hash-mitigation-to-windows-7-windows-8-windows-2008r2","status":"publish","type":"post","link":"https:\/\/adsecurity.org\/?p=559","title":{"rendered":"Microsoft KB2871997: Back-Porting Windows 8.1\/Win2012R2 Enhanced Security & Pass The Hash Mitigation to Windows 7, Windows 8, & Windows 2008R2"},"content":{"rendered":"

In June 2014, Microsoft released KB2871997 which takes many of the enhanced security protection mechanisms built into Windows 8.1 & Windows Server 2012 R2 and “back-ports” them to Windows 7, Windows 8, Windows Server 2008R2, and Windows Server 2012.<\/p>\n

The enhanced security features reduce the credential data stored in memory and supports modern authentication (Kerberos AES). There are two primary logon types, interactive and network.<\/p>\n

An Interactive<\/strong> logon<\/strong> occurs when a user enters their logon credentials at the logon prompt, typically when sitting in front of a computer (or when connecting to Terminal Services or Remote Desktop Protocol, RDP, services). This logon type results in the user’s credential being stored in memory, often in various forms: Kerberos tickets, NTLM hash, LM Hash (if the password is less than 15 characters long), and even the clear-text password is stored. Mimikatz is a tool that can extract credentials in LSASS protected memory as well as the local Windows Security Accounts Manager (SAM). Read the ADSecurity.org Unofficial Guide to Mimikatz & Command Reference<\/a> for more information on Mimikatz capability, usage, detection, and mitigation.<\/p>\n

The second type is a Network<\/strong> logon<\/strong> where the user’s credentials are transparently passed to the service on the destination system in order to gain access; note that the user does not have to explicitly enter credentials, they are “passed” to the target service and verified (typically using Kerberos or NTLM). With this logon type, the user’s credentials are not sent to the system hosting the service; therefore, the credentials are not stored on the destination system. This means any service receiving network logons leverages “pass the hash” for single sign on (SSO).<\/p>\n

Note: This post uses WDigest and Digest authentication interchangeably. Also, this patch doesn’t stop Pass-the-Hash, it does help harden Windows against standard attack methods such as clear-text password dumping, RDP credential theft, and lateral movement using local Administrator accounts.
\n<\/em><\/p>\n

Update: KB2871997 includes the client components of Restricted Admin Mode Remote Desktop Client (mstsc \/RestrictedAdmin). There was a patch released at the end of 2014 that includes the server components of Restricted Admin Mode for earlier versions of Windows.<\/p>\n

These protections include:
\n<\/p>\n