INTRODUCTION

Microsoft has released a Microsoft security advisory about this issue for IT professionals. The security advisory contains additional security-related information. To view the security advisory, go to the following Microsoft website:

https://technet.microsoft.com/security/advisory/2871997

More Information

On July 8, 2014, Microsoft released the following:

2973351 Microsoft Security Advisory: Registry update to improve credentials protection and management for Windows-based systems that have the 2919355 update installed: July 8, 2014

2975625 Microsoft Security Advisory: Registry update to improve credentials protection and management for Windows systems that do not have the 2919355 update installed: July 8, 2014This update provides configurable registry settings for managing the Restricted Admin mode for Credential Security Support Provider (CredSSP). Note The update changes default Restricted Admin mode functionality in Windows 8.1, Windows Server 2012 R2, and Windows RT 8.1. For more information, see the FAQ section of the advisory.

How to configure the Restricted Admin registry setting

ImportantThis section, method, or task contains steps that tell you how to modify the registry. However, serious problems might occur if you modify the registry incorrectly. Therefore, make sure that you follow these steps carefully. For added protection, back up the registry before you modify it. Then, you can restore the registry if a problem occurs. For more information about how to back up and restore the registry, click the following article number to view the article in the Microsoft Knowledge Base:

322756How to back up and restore the registry in Windows The default behavior for Restricted Admin mode changed in Windows 8.1, Windows Server 2012 R2, and Windows RT 8.1. By default, Restricted Admin mode is now turned off, and you have to enable it again after you install update 2973351 or 2975625 if it is required. Previously, Restricted Admin mode was turned on by default. To configure the Restricted Admin registry setting, add a DWORD value that is named DisableRestrictedAdmin to the following registry subkey:

HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa To do this, follow these steps:

  1. Click Start, click Run, type regedit in the Open box, and then click OK.

  2. Locate and then click the following subkey in the registry:

    HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa

  3. On the Edit menu, point to New, and then click DWORD Value.

  4. Type DisableRestrictedAdmin for the name of the DWORD value, and then press Enter.

  5. Right-click DisableRestrictedAdmin, and then click Modify.

    • To disable Restricted Admin mode, type 1 in the Value data box, and then click OK.

    • To enable Restricted Admin mode, type 0 in the Value data box, and then click OK.

  6. Exit Registry Editor, and then restart the computer.

FILE INFORMATION

The English (United States) version of this software update installs files that have the attributes that are listed in the following tables. The dates and times for these files are listed in Coordinated Universal Time (UTC). The dates and times for these files on your local computer are displayed in your local time and with your current daylight saving time (DST) bias. Additionally, the dates and times may change when you perform certain operations on the files.

For all supported x86-based versions of Windows 8.1

File name

File version

File size

Date

Time

Platform

Service branch

Credssp.adml

Not applicable

18,207

22-Aug-2013

05:14

Not applicable

X86_MICROSOFT-WINDOWS-CREDSSP-ADM.RESOURCES_31BF3856AD364E35_6.3.9600.16670_EN-US_CC90990BBCE23A4A

Credssp.admx

Not applicable

11,354

18-Jun-2013

12:36

Not applicable

X86_MICROSOFT-WINDOWS-CREDSSP-ADM_31BF3856AD364E35_6.3.9600.16670_NONE_6D8AC11F770DE49F

Cng.sys

6.3.9600.16670

475,184

09-Jun-2014

00:15

x86

Not applicable

Ksecpkg.sys

6.3.9600.16670

147,800

09-Jun-2014

00:22

x86

Not applicable

Lsasrv.dll

6.3.9600.16670

1,088,512

08-Jun-2014

19:58

x86

Not applicable

For all supported x64-based versions of Windows 8.1 and Windows Server 2012 R2

File name

File version

File size

Date

Time

Platform

Service branch

Credssp.adml

Not applicable

18,207

22-Aug-2013

12:30

Not applicable

AMD64_MICROSOFT-WINDOWS-CREDSSP-ADM.RESOURCES_31BF3856AD364E35_6.3.9600.16670_EN-US_28AF348F753FAB80

Credssp.admx

Not applicable

11,354

18-Jun-2013

15:03

Not applicable

AMD64_MICROSOFT-WINDOWS-CREDSSP-ADM_31BF3856AD364E35_6.3.9600.16670_NONE_C9A95CA32F6B55D5

Cng.sys

6.3.9600.16670

565,536

09-Jun-2014

04:23

x64

Not applicable

Ksecpkg.sys

6.3.9600.16670

192,856

09-Jun-2014

04:29

x64

Not applicable

Lsasrv.dll

6.3.9600.16670

1,416,192

08-Jun-2014

20:26

x64

Not applicable

Need more help?

Want more options?

Explore subscription benefits, browse training courses, learn how to secure your device, and more.

Communities help you ask and answer questions, give feedback, and hear from experts with rich knowledge.