Thursday, January 14, 2016

KB2871997 - Overview and Resources


KB2871997 was released almost two years ago. I'm a bit ashamed it took me so long to realize all the awesomeness packed inside. Microsoft has really gone above and beyond to backport some of these security features into Windows 7. I talked about one of the features enabled by this update in my previous post.

Below is a quick overview of the features enabled by the update. Below that is a resources sections with all the nitty gritty details.

Update - for an even better overview check out Sean Metcalf's post at adsecurity.org.


KB2871997 Quick Overview
  • Protected Users group
    • Works well with “Authentication Policies and Silos”
    •  Blocks everything besides Kerberos authentication and applies hardening to the Kerberos authentication used (enforces AES encryption).
  • Restricted Admin RDP mode
    • Can only make Restricted Admin connects to a Win8.1+/2012R2 system
    • Seems to be a debate regarding the efficacy of this control
      • Some argue it opens RDP up to pass the hash attacks
      • I'd love to hear people's thoughts on this in the comments
  • New well known SID’s
    • LOCAL_ACCOUNT & LOCAL_ACCOUNT_AND_MEMBER_OF_ADMINISTRATORS_GROUP
    • Allows blocking local users from logging in remotely
    • If you haven't heard about this yet, drop everything and see previous post on implementing it
  • Features to help mitigate Mimikatz / WCE type tools
    • Cached LSASS credentials removed from memory when user logs off (Mimikatz mitigation)
    • Clear-text password, the users NT/LM password hash, and the users Kerberos TGT/Session key
    • Removal of clear-text credentials from LSASS
      • Prevents every Microsoft SSP in LSASS, besides WDigest, from storing the user’s clear-text password
        • Wdigest can be disabled with regedit
      • NT hash and Kerberos TGT/Session key still be stored in memory
        • Without these, SSO impossible

Resources





Restricted Admin - https://www.petri.com/should-i-use-rdp-restricted-admin-mode

 How to Enable Restricted Admin - http://social.technet.microsoft.com/wiki/contents/articles/32905.how-to-enable-restricted-admin-mode-for-remote-desktop.aspx

Good video from Microsoft with demos of Mimikatz, Windows Credential Editor (WCE), Authentication Policies and Silos -
https://channel9.msdn.com/Events/TechEd/NorthAmerica/2014/DCIM-B359?format=html5#fbid= 

Excellent Overview and Explanation of KB2871997 - https://adsecurity.org/?p=559