Skip to Content.
Sympa Menu

ad-assurance - [AD-Assurance] Security features in Win8.1/WS2012R2

Subject: Meeting the InCommon Assurance profile criteria using Active Directory

List archive

[AD-Assurance] Security features in Win8.1/WS2012R2

Chronological Thread 
  • From: Brian Arkills <>
  • To: "" <>
  • Subject: [AD-Assurance] Security features in Win8.1/WS2012R2
  • Date: Mon, 23 Sep 2013 15:47:58 +0000
  • Accept-language: en-US

Here's a rundown of security features of interest coming with the WS2012R2 & Win8.1 release.


There's a Protected Users group, which in concert with the new Authentication Policies & Authentication Policy Silos features, enables some protections for users placed in this group:


-non-configurable protections

                Only Kerberos authentication, no ability to use NTLM (any version)

                Can't use DES or RC4 cipher suites (with Kerberos)

                4 hour TGT lifetime, no TGT renewal beyond

                Delegation forbidden

-Requires Windows 8.1 or WS2012R2 hosts & WS2012R2 domain/DCs


I mentioned the AuthN Policy/Silos. Those are fascinating, very similar to the old "Log On To"/Logon Workstations functionality in ADUC, but much more refined. In a nutshell, you can control what conditions are required in order to issue a Kerberos TGS. For example, if someone needs to access the "Finance" file share, in addition the usual stuff, you can require that the user logon request come from specific computers.


There are some LSASS hardening changes:

-Greatly reduced credential storage, such that across a bunch of the authN providers, credentials are no longer stored in memory. NTLM NT is the one hold out for the 3 types of users accounts listed (Microsoft Account, local user, domain user), unless the user is in the Protected Users group.

-Is a protected process such that non-protected processes can't read or inject.


There's a RDP RestrictedAdmin mode, which when configured, makes it such that you do not send your credentials over the wire to the RDP host & your logon token is not sent from that RDP host beyond.


You can explore material at & have a good rundown of these features.


All of these features currently require Windows 8.1 and WS2012R2, but there was some hope for back ports to prior OSes at the end of a Black Hat presentation, with a TBD noted.


One other thing that I got reading between the lines of the Black Hat presentation (which focused on Pass the Ticket) is that Microsoft now considers NTLM a dead-end and is investing in features that don't leverage it.



  • [AD-Assurance] Security features in Win8.1/WS2012R2, Brian Arkills, 09/23/2013

Archive powered by MHonArc 2.6.16.

Top of Page