Microsoft Security Advisory: Extended protection for authentication

Support for Windows XP has ended

Microsoft ended support for Windows XP on April 8, 2014. This change has affected your software updates and security options. Learn what this means for you and how to stay protected.

Support for Windows Server 2003 ended on July 14, 2015

Microsoft ended support for Windows Server 2003 on July 14, 2015. This change has affected your software updates and security options. Learn what this means for you and how to stay protected.

Support for Windows Vista Service Pack 1 (SP1) ends on July 12, 2011. To continue receiving security updates for Windows, make sure you're running Windows Vista with Service Pack 2 (SP2). For more information, refer to this Microsoft web page: Support is ending for some versions of Windows.
INTRODUCTION
Microsoft has released security advisory 973811. To view the complete security advisory, visit the following Microsoft website:

How to obtain help and support for this security update

Help installing updates: Support for Microsoft Update

Security solutions for IT professionals: TechNet Security Troubleshooting and Support

Help protect your computer that is running Windows from viruses and malware:Virus Solution and Security Center

Local support according to your country: International Support

MORE INFORMATION

How do I configure .NET to utilize Extended Protection for Authentication?

Here are the steps for enabling Extended Protection for the Microsoft .NET Framework 2.0 Service Pack 2, .NET Framework 3.0 Service Pack 2, and .NET Framework 3.5 SP1.

For .NET Framework 2.0 Service Pack 2 (Network Class Library)

Extended protection can be turned on by setting properties on HttpListener. For more information, visit the following Microsoft MSDN websites: If NegotiateStream is used, then the appropriate overloads of [Begin]AuthenticateAsServer and [Begin]AuthenticateAsClient need to be used: For more information, visit the following Microsoft MSDN websites:

In addition to the recommendations in these Microsoft websites, follow these steps:
  1. On the client side, install the Extended Protection for Authentication update for Security Support Provider Interface (SSPI). This update changes SSPI to improve Windows authentication. Additionally, this update prevents credentials from being forwarded. After you install this update, you must implement the registry settings that are described in Microsoft Knowledge Base (KB) article 968389 to enable extended protection.For more information, click the following article number to view the article in the Microsoft Knowledge Base:
    968389Extended Protection for Authentication
  2. On the server side, install the Extended Protection for Authentication update for the HTTP Protocol Stack.

For .NET Framework 2.0 Service Pack 2 (ASP.NET)

No special action is required in order to use Extended Protection.

For .NET Framework 3.0 Service Pack 2 (WCF)

To enable the Extended Protection for Authentication feature in WCF, follow these steps: To do this, follow these steps:
  1. On the client side, install the Extended Protection for Authentication update for Security Support Provider Interface (SSPI). This update changes SSPI to improve Windows authentication. Additionally, this update prevents credentials from being forwarded. After you install this update, you must implement the registry settings that are described in Microsoft Knowledge Base (KB) article 968389 to enable extended protection.For more information, click the following article number to view the article in the Microsoft Knowledge Base:
    968389Extended Protection for Authentication
  2. On the server side, install the Extended Protection for Authentication update for the HTTP Protocol Stack.
  3. Install the Extended Protection for Authentication update for Internet Information Services (IIS) when IIS is installed.

    After you install the update, follow the instructions in KB article 973917 to configure extended protection in IIS.For more information, click the following article numbers to view the article in the Microsoft Knowledge Base:
    973917Description of the update that implements Extended Protection for Authentication in Internet Information Services (IIS)
    970430 Description of the update that implements Extended Protection for Authentication in the HTTP Protocol Stack (http.sys)
  4. Use the ExtendedProtectionPolicy class in WCF to represent the extended protection policy that the server uses to validate incoming client connections. The class can be applied only when the security mode is set to Transport mode or to TransportWithMessageCredential mode.The following is a sample code that shows the configuration in a binding element of a service config file:
    <binding>……………   <security mode="Transport">           <transport ……………>                                  <extendedProtectionPolicy policyEnforcement ="WhenSupported"/>           </transport >          </security></binding>
    For more information about the Extended Protection for Authentication feature, visit the following Microsoft TechNet website:
For more configuration information, click the following article numbers to view the articles in the Microsoft Knowledge Base:
Article numberArticle title
982532Description of the rollup update for the .NET Framework 3.5 Service Pack 1 on Windows Vista Service Pack 1 and on Windows Server 2008 Service Pack 1 (976767 and 980843): June 8, 2010
982533Description of the rollup update for the .NET Framework 3.5 Service Pack 1 on Windows Vista Service Pack 2 and on Windows Server 2008 Service Pack 2 (976768 and 980842): June 8, 2010
982535Description of the rollup update for the .NET Framework 3.5 Service Pack 1 on Windows Vista Service Pack 1 and on Windows Server 2008 Service Pack 1 (976767, 980843, and 976771): June 8, 2010
982536Description of the rollup update for the .NET Framework 3.5 Service Pack 1 on Windows Vista Service Pack 2 and on Windows Server 2008 Service Pack 2 (976768, 980842, and 976772): June 8, 2010
982167Description of the rollup update for the .NET Framework 3.5 Service Pack 1 and the .NET Framework 2.0 Service Pack 2 on Windows XP and on Windows Server 2003 (976765 and 980773): June 8, 2010
982168Description of the rollup update for the .NET Framework 3.5 Service Pack 1 on Windows XP and on Windows Server 2003 (976765, 980773 and 976769): June 8,
2262911"Could not load type 'System.Security.Authentication.ExtendedProtection.ExtendedProtectionPolicy'" exception error after you install update 982167 or update 982168
Known Issues
For more information about known issues with this software, click the following article number to view the article in the Microsoft Knowledge Base:
Article numberArticle title
2197146Updates for the .NET Framework 3.5 Service Pack 1 and the .NET Framework 2.0 Service Pack 2 may cause the Microsoft Knowledge Base article number to appear instead of the full title of the update in the Add or Remove Programs item in Control Panel
update security_patch security_update security bug flaw vulnerability malicious attacker exploit registry unauthenticated buffer overrun overflow specially-formed scope specially-crafted denial of service DoS TSE WinNT Win2000
Properties

Article ID: 973811 - Last Review: 05/08/2012 21:54:00 - Revision: 6.0

Microsoft .NET Framework 3.5 Service Pack 1, Microsoft .NET Framework 3.0 Service Pack 2, Microsoft .NET Framework 2.0 Service Pack 2, Windows Server 2008 Datacenter without Hyper-V, Windows Server 2008 Enterprise without Hyper-V, Windows Server 2008 for Itanium-Based Systems, Windows Server 2008 Standard without Hyper-V, Windows Server 2008 Datacenter, Windows Server 2008 Enterprise, Windows Server 2008 Standard, Windows Web Server 2008, Windows Vista Service Pack 2, Windows Vista Service Pack 1, Microsoft Windows Server 2003 Service Pack 1, Microsoft Windows Server 2003 Service Pack 2, Microsoft Windows XP Service Pack 2, Microsoft Windows XP Service Pack 3

  • kbsecadvisory atdownload kbbug kbexpertiseinter kbfix kbsecbulletin kbsecurity kbsecvulnerability KB973811
Feedback