Introduction
Microsoft is announcing the availability of a new feature, Extended Protection for Authentication (EPA), on the Windows platform. This feature enhances the protection and handling of credentials when authenticating network connections by using Integrated Windows Authentication (IWA).Microsoft Security Advisory 973811.
The update itself does not directly provide protection against specific attacks such as credential forwarding but allows for applications to opt in to EPA. This advisory briefs developers and system administrators on this new functionality and how it can be deployed to help protect authentication credentials. For more information, seeMore Information
This security update modifies the Security Support Provider Interface (SSPI) to enhance the way Windows authentication works so that credentials are not easily forwarded when IWA is enabled.
When EPA is enabled, authentication requests are bound to both the Service Principal Names (SPN) of the server the client tries to connect to and to the outer Transport Layer Security (TLS) channel over which the IWA authentication occurs.The update adds a new registry entry to manage Extended Protection:
-
Set the registry SuppressExtendedProtection value.
Registry key
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\LSA
Value
SuppressExtendedProtection
Type
REG_DWORD
Data
0 Enables protection technology.
1 Extended Protection is disabled. 3 Extended Protection is disabled and channel bindings sent by Kerberos are also disabled, even if the application supplies them.Default value: 0x0
Note A problem that occurs when EPA is enabled by default is described in the Authentication failure from non-Windows NTLM or Kerberos servers topic on the Microsoft website.
-
Set the registry LmCompatibilityLevel value.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\LmCompatibilityLevel to 3. This is an existing key which enables NTLMv2 Authentication. EPA only applies to NTLMv2, Kerberos, digest, and negotiation authentication protocols and does not apply to NTLMv1.
Note You must restart the computer after you set the SuppressExtendedProtection and the LmCompatibilityLevel registry values on a Windows computer.
Enable Extended Protection
Note By default, Extended Protection and NTLMv2 are both enabled in all supported versions of Windows. You can use this guide to verify this is the case.
Important This section, method, or task contains steps that tell you how to modify the registry. However, serious problems might occur if you modify the registry incorrectly. Therefore, make sure that you follow these steps carefully. For added protection, back up the registry before you modify it. Then, you can restore the registry if a problem occurs. For more information about how to back up and restore the registry, click the following article number to view the article in the Microsoft Knowledge Base:
-
KB322756 How to back up and restore the registry in Windows
To enable Extended Protection yourself after you download and install the security update for your platform, follow these steps:
-
Start Registry Editor. To do this, click Start, click Run, type regedit in the Open box, and then click OK.
-
Locate and then click the following registry subkey:
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\LSA
-
Verify that the registry values SuppressExtendedProtection and LmCompatibilityLevel are present.
If the registry values are not present, follow these steps to create them:-
With the registry subkey that is listed in step 2 selected, on the Edit menu, point to New, and then click DWORD Value.
-
Type SuppressExtendedProtection, and then press Enter.
-
With the registry subkey that is listed in step 2 selected, on the Edit menu, point to New, and then click DWORD Value.
-
Type LmCompatibilityLevel, and then press Enter.
-
-
Click to select the SuppressExtendedProtection registry value.
-
On the Edit menu, click Modify.
-
In the Value data box, type 0, and then click OK.
-
Click to select the LmCompatibilityLevel registry value.
-
On the Edit menu, click Modify.
Note This step changes NTLM authentication requirements. Please review the following article in the Microsoft Knowledge Base to make sure that you are familiar with this behavior.KB239869 How to enable NTLM 2 authentication
-
In the Value data box, type 3, and then click OK.
-
Exit Registry Editor.
-
If you make these changes on a Windows computer, you must restart the computer before the changes take effect.