More information about this update
· What is Extended Protection?
This update contains a defense-in-depth fix to allow for the SMB server to opt
in to extended protection. By default, this functionality is disabled. To make
sure that you know the effect of these changes, review this article and the
following security advisory closely. They describe Extended
Protection in more detail:
Microsoft Security Advisory: Extended protection for authentication
· How do I enable Extended Protection on my computer?
Before you enable Extended Protection, make sure that the following update is
installed on both the client and server computers:
Extended Protection for Authentication
Additionally,
to enable Extended Protection for Authentication in Server service, make sure
that this update is installed on the server.
Notes
o The client-side setting that enables Extended Protection is a system-wide setting. When this setting is enabled, Extended Protection is enabled for all components on the client computer.
o On a server, Extended Protection has to be enabled for each component individually. Make sure that all client components for a particular server are updated for Extended Protection before you enable it on server. Otherwise, authentication failures may occur. After both updates are installed, you will have to enable Extended Protection on both client and server computers.
To enable Extended Protection on your computer, the following changes are required.
Important This section, method, or task contains steps that tell you how to modify the registry. However, serious problems might occur if you modify the registry incorrectly. Therefore, make sure that you follow these steps carefully. For added protection, back up the registry before you modify it. Then, you can restore the registry if a problem occurs. For more information about how to back up and restore the registry, click the following article number to view the article in the Microsoft Knowledge Base:
How to back up and restore the registry in Windows
o If the computer is an SMB client:
Verify that the registry values SuppressExtendedProtection and LmCompatibilityLevel
are located in the following registry subkey:
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\LSA
If the registry values are not present, follow these steps:
1. Start Registry Editor.
2. Locate and then click the following registry subkey:
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\LSA
3. On the Edit menu, point to New, and then click DWORD Value.
4. Type SuppressExtendedProtection, and then press Enter.
5. On the Edit menu, click Modify.
6. Type 0, and then click OK.
7. On the Edit menu, point to New, and then click DWORD Value.
8. Type LmCompatibilityLevel, and then press ENTER.
9. On the Edit menu, click Modify.
Note This step changes NTLM authentication requirements. Before you change an NTLM authentication requirement, make sure that you are familiar with this behavior. For more information, refer to article 239869 in the Microsoft Knowledge Base (http://support.microsoft.com/kb/239869/ ): "How to enable NTLM 2 authentication."
10. Type 3, and then click OK.
11. Exit Registry Editor.
o On an SMB server:
Before you set any hardening modes, refer to the following MSDN article:
http://msdn.microsoft.com/en-us/library/dd767318.aspx
To set the hardening modes on an SMB server, follow these steps:
1. Start Registry Editor.
2. Locate and then click the following registry subkey:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters
3. On the Edit menu, point to New, and then click DWORD Value.
4. Type SmbServerNameHardeningLevel, and then press Enter.
5. On the Edit menu, click Modify.
6. Set the registry value by using one of the following values, based on your SMB server requirements, and then click OK:
§ Legacy: Allow all kinds of clients. Set SmbServerNameHardeningLevel to 0.
§ Partial (Legacy + EP): Allow clients that do not to send a service principal name (SPN), or allow clients that send the correct SPN. Set SmbServerNameHardeningLevel to 1.
§ Fully Hardened (Only EP): Allow clients that send only the correct SPN. Set SmbServerNameHardeningLevel to 2.
7. Exit Registry Editor.
On Windows XP, Windows Server 2003, Windows Vista, and Windows 2008 platforms, this setting will not take effect until the computer is restarted.
· When you install this package
The default value for SmbServerNameHardeningLevel is 0. You have to
manually create this key and provide the appropriate value as per the hardening
mode that is selected. To add the registry value, follow the steps that are
listed earlier in this article under "How do I enable Extended Protection
on my computer?"
o Default allowed SPNs on an SMB server:
§ By default, the SMB server will allow the following list of names and IPs:
§ "localhost" as a string in English
§ All the variants of IP (IPv4 and IPv6) of your own server or computer
§ 127.0.0.1 & ::1
§ Host name in NetBIOS format
§ Host name in FQDN format
§ (Failover Cluster nodes only) Cluster host name in NetBIOS format
§ (Failover Cluster nodes only) Cluster host name in FQDN format
§ If
the administrator decides to allow other SPNs, the administrator can add more
names. The name will not be converted from NetBIOS to FQDN or from FQDN to
NetBIOS.
To add more names, follow these steps:
1. Start Registry Editor.
2. Locate and then click the following registry subkey:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters
3. On the Edit menu, point to New, and then click Multi-String Value.
4. Type SrvAllowedServerNames, and then press ENTER.
5. On the Edit menu, click Modify.
6. Add the host names in FQDN format, host names in NetBIOS format, or IP addresses that you want to be allowed as SPNs, and then click OK.
7. Exit Registry Editor.
§ On
Windows Server 2003 only, the server polls and
enumerates the IPV6 addresses.
There will be a delay between the time that a computer's IPv6 address changes
and the time that a SMB server will accept connections on the new IPv6 address
if the server is hardened. The maximum value of this delay is controlled by the
polling interval. This is controlled by the IPv6Polltime registry value,
and assumes the default of 5 minutes if not present.
To set the IPv6 address polling interval, follow these steps:
0. Start Registry Editor.
1. Locate and then click the following registry subkey:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters
2. On the Edit menu, point to New, and then click DWORD Value.
3. Type IPv6Polltime, and then press ENTER.
4. On the Edit menu, click Modify.
5. Set the registry value to the desired time-out in minutes, and then click OK.
6. Exit Registry Editor.
This behavior does not apply when you access the SMB server through its IPv4 addresses, NetBIOS host names, or FQDN host names.
SPN auditing
· On Windows 7 and Windows Server 2008 R2 platforms, SPN accept
and SPN reject events are generated in the Security event log per the server's
audit policy for Object Access (or Object Access\Audit File Share
in the Advanced Audit Policy configuration). By default, the auditing of
these events are disabled for both successes and failures on these platforms.
SPN audit entries have Event ID 5168 and a format similar to the following:
· Spn check for SMB/SMB2 fails.
· Subject:
· Security ID: <Sid>
· Account Name: <Account>
· Account Domain: <Domain>
· Logon ID: <LUID>
· SPN:
· SPN Name: <SPN>
· Error Code: <Status>
· Server Information:
· Server Names: <list of detected names>
· Configured Names: <list of configured names>
IP Addresses: <list of all computer IP addresses>
· On Windows Vista, Windows Server 2008, Windows XP, and Windows
Server 2003 platforms, only SPN failure events are logged, regardless of the
server's configured auditing policy.
On these platforms, if authentication fails on a hardened server because of a rejected
SPN, a warning that contains Event Id 2028 is logged in the System log in the
following format:
Authentication failed for SMB v(<protocol#>). The server detected an invalid or NULL SPN (<SPN>) while authenticating SPN at hardening level (<hardening level>)
Troubleshooting
· The presence of a "NULL" SPN in the event log may mean the client does not have the package described in Knowledge Base article 973811 installed. If 973811 is installed on the client, the SuppressExtendedProtection registry value may not have been set correctly.
· If a hardened computer is inaccessible by using an "expected" name, such as an alias, confirm that the alias is present in SrvAllowedServerNames registry value. See the "When you install this package" section for information about how to do this.
Unsupported scenarios
· You cannot access an SMB server by using an alias name. You will have to add the alias name to the SrvAllowedServerNames registry value. See the "When you install this package" section for information about how to do this.
· On computers that are running Windows XP with simple file sharing enabled, files are no longer available after you change SmbServerNameHardeningLevel to 2.
Note By default, simple file sharing is enabled on all Windows XP systems that are not joined to a domain.
To work around this issue, follow the appropriate steps:
1. Set SmbServerNameHardeningLevel to 0 or to 1 to continue to allow anonymous connections to SMB server.
2.
Windows XP Professional and Windows XP 64-Bit Edition only
Disable simple file sharing, and require authentication to access files. For
more information about how to disable simple file sharing on Windows XP
Professional, click the following article number to view the article in the
Microsoft Knowledge Base:
How to disable simple file sharing and how to set permissions on a shared folder in Windows XP
· Services that are running in the LocalService account or that
otherwise try to establish an anonymous connection to a server that has SmbServerNameHardeningLevel
set to 2 (fully hardened) fail.
To work around this issue, follow the appropriate steps:
o For scenarios in which both computers are joined to the same domain or to trusted domains, run affected services from the NetworkService account and affected applications from domain user accounts.
o For non-domain scenarios, set SmbServerNameHardeningLevel to 0 or to 1 on the server.
· Accessing hardened SMB server share by using IPv6 addresses that have a scope/zone id (for example, link local address) is not supported.
Note Accessing the hardened SMB server by using its FQDN host name or NetBIOS host name by using IPv6 as a transport is not affected.
To work around this issue, add the corresponding IPv6 address without the scope/zone id (for example, the "%xx" part) to the registry key SrvAllowedServerNames. See the "When you install this package" section for information about how to do this.
· Accessing hardened SMB Server from any SMB client implementation that does not support extended protection/SPN is not supported.
· Windows 2000-based computers cannot access SMB servers that have
SmbServerNameHardeningLevel set to 1 or to 2.
Windows 2000-based clients send an incorrect service principal name (SPN) when
they authenticate to an SMB server by using the Kerberos protocol. To work
around this issue, add entries to the server's SrvAllowedServerNames
list in the format HOST/alias for all server host names in NetBIOS
format, for all server host names in FQDN format, and for all server IP
addresses that have to be available by Windows 2000-based computers. See the
"When you install this package" section for information about how to
do this.
· Legacy clients, such as Windows NT 4.0 and earlier versions,
cannot access SMB servers that have SmbServerNameHardeningLevel set to 1
or to 2.
In order to protect SMB servers from credential forwarding, SMB clients must
support GSS authentication (RFC2743
) in order to access SMB servers that have SmbServerNameHardeningLevel
set to 1 or to 2. (Windows 2000 and later version of Windows support GSS
authentication over SMB.)
SMB servers that have to be accessed by clients not supporting GSS
authentication must have SmbServerNameHardeningLevel set to 0 (the
default).