Applies ToWindows Server 2008 Datacenter ESU Windows Server 2008 Standard ESU Windows Server 2008 Enterprise ESU Windows 7 Enterprise ESU Windows 7 Professional ESU Windows 7 Ultimate ESU Windows Server 2008 R2 Enterprise ESU Windows Server 2008 R2 Standard ESU Windows Server 2008 R2 Datacenter ESU Windows Server 2012 Windows 8.1 Windows RT 8.1 Windows Server 2012 R2 Windows 10 Windows 10 Pro Education, version 1607 Windows 10 Professional Education version 1607 Windows 10 Professional version 1607 Windows Server 2016 Windows 10 Home and Pro, version 20H2 Windows 10 Enterprise and Education, version 20H2 Windows 10 IoT Enterprise, version 20H2 Windows 10 Home and Pro, version 21H1 Windows 10 Enterprise and Education, version 21H1 Windows 10 IoT Enterprise, version 21H1 Windows 10 Home and Pro, version 21H2 Windows 10 Enterprise and Education, version 21H2 Windows 10 IoT Enterprise, version 21H2 Windows 10 Home and Pro, version 22H2 Windows 10 Enterprise Multi-Session, version 22H2 Windows 10 Enterprise and Education, version 22H2 Windows 10 IoT Enterprise, version 22H2 Windows Server 2022 Azure Stack HCI, version 22H2 Windows 11 SE, version 21H2 Windows 11 Home and Pro, version 21H2 Windows 11 Enterprise and Education, version 21H2 Windows 11 IoT Enterprise, version 21H2 Windows 11 SE, version 22H2 Windows 11 Home and Pro, version 22H2 Windows 11 Enterprise Multi-Session, version 22H2 Windows 11 Enterprise and Education, version 22H2 Windows 11 IoT Enterprise, version 22H2

Introduction

Microsoft is announcing the availability of a new feature, Extended Protection for Authentication (EPA), on the Windows platform. This feature enhances the protection and handling of credentials when authenticating network connections by using Integrated Windows Authentication (IWA). The update itself does not directly provide protection against specific attacks such as credential forwarding but allows for applications to opt in to EPA. This advisory briefs developers and system administrators on this new functionality and how it can be deployed to help protect authentication credentials. For more information, see Microsoft Security Advisory 973811.

More Information

This security update modifies the Security Support Provider Interface (SSPI) to enhance the way Windows authentication works so that credentials are not easily forwarded when IWA is enabled. When EPA is enabled, authentication requests are bound to both the Service Principal Names (SPN) of the server the client tries to connect to and to the outer Transport Layer Security (TLS) channel over which the IWA authentication occurs.

The update adds a new registry entry to manage Extended Protection:

  • Set the registry SuppressExtendedProtection value.

    Registry key

    HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\LSA

    Value

    SuppressExtendedProtection

    Type

    REG_DWORD

    Data

    0 Enables protection technology.1 Extended Protection is disabled.3 Extended Protection is disabled and channel bindings sent by Kerberos are also disabled, even if the application supplies them.

    Default value: 0x0

    Note A problem that occurs when EPA is enabled by default is described in the Authentication failure from non-Windows NTLM or Kerberos servers topic on the Microsoft website.

  • Set the registry LmCompatibilityLevel value.HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\LmCompatibilityLevel to 3. This is an existing key which enables NTLMv2 Authentication. EPA only applies to NTLMv2, Kerberos, digest, and negotiation authentication protocols and does not apply to NTLMv1.

Note You must restart the computer after you set the SuppressExtendedProtection and the LmCompatibilityLevel registry values on a Windows computer.

Enable Extended Protection

Note By default, Extended Protection and NTLMv2 are both enabled in all supported versions of Windows. You can use this guide to verify this is the case.

Important This section, method, or task contains steps that tell you how to modify the registry. However, serious problems might occur if you modify the registry incorrectly. Therefore, make sure that you follow these steps carefully. For added protection, back up the registry before you modify it. Then, you can restore the registry if a problem occurs. For more information about how to back up and restore the registry, click the following article number to view the article in the Microsoft Knowledge Base:

  • KB322756 How to back up and restore the registry in Windows

To enable Extended Protection yourself after you download and install the security update for your platform, follow these steps:

  1. Start Registry Editor. To do this, click Start, click Run, type regedit in the Open box, and then click OK.

  2. Locate and then click the following registry subkey:

    HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\LSA

  3. Verify that the registry values SuppressExtendedProtection and LmCompatibilityLevel are present. If the registry values are not present, follow these steps to create them:

    1. With the registry subkey that is listed in step 2 selected, on the Edit menu, point to New, and then click DWORD Value.

    2. Type SuppressExtendedProtection, and then press Enter.

    3. With the registry subkey that is listed in step 2 selected, on the Edit menu, point to New, and then click DWORD Value.

    4. Type LmCompatibilityLevel, and then press Enter.

  4. Click to select the SuppressExtendedProtection registry value.

  5. On the Edit menu, click Modify.

  6. In the Value data box, type 0, and then click OK.

  7. Click to select the LmCompatibilityLevel registry value.

  8. On the Edit menu, click Modify.Note This step changes NTLM authentication requirements. Please review the following article in the Microsoft Knowledge Base to make sure that you are familiar with this behavior.

    KB239869 How to enable NTLM 2 authentication

  9. In the Value data box, type 3, and then click OK.

  10. Exit Registry Editor.

  11. If you make these changes on a Windows computer, you must restart the computer before the changes take effect.

Facebook LinkedIn Email
SUBSCRIBE RSS FEEDS

Need more help?

Want more options?

Discover Community

Explore subscription benefits, browse training courses, learn how to secure your device, and more.

Microsoft 365 subscription benefits

Microsoft 365 training

Microsoft security

Accessibility center

Communities help you ask and answer questions, give feedback, and hear from experts with rich knowledge.

Ask the Microsoft Community

Microsoft Tech Community

Windows Insiders

Microsoft 365 Insiders