KB2871997 and Wdigest - Part 1

  • Article

 

In May of this past year we released a “Security” updated labeled kb2871997 which basically back ports a number of security features that were introduced in Windows 8.1/2012 R2 to Win 7/2008/8/2012.  If you want to read the details you can start here https://support.microsoft.com/kb/2871997 however the point of this post is to focus specifically on ensuring that clear text credentials are no longer stored in memory on your client systems which means utilizing the new features to disable Wdigest Auth more easily on your clients.

Prior to this hotfix there were a number of locations where tools such as mimikatz/wce would dump clear text credentials from LSA memory on a system.  With this hotfix applied “most” of those locations were fixed however due to possible issues with backwards compatibility and the desire to not break our customers environments the Wdigest SSP was left enabled.  Unfortunately due to the way this authentication provider works it requires that the clear text credentials be stored in order for it to perform SSO authentication to Wdigest resources.  In general Wdigest is typically used for IIS servers with it enabled.

image

There may well be other use scenarios for Wdigest however I’m not sure I’ve ever seen them so feel free to add something in comments if you have.  Prior to this hotfix it was possible to disable Wdigest however it was not as easily done.  It required modifying the Multi-String value “Security Packages” at HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa and removing “wdigest” from this value.

image

This is problematic from a GPO/GPP perspective as you could replace/overwrite the reg value however you don’t really know what the prior settings are for this value across your enterprise so you run the risk of either removing or adding more/less than you had previously in this value if you just overwrite it with arbitrary values.  You could do it programmatically but that’s more involved and would require some scripting or the like.  KB2871997 backported a new registry value that was introduced in 8.1 found at HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\WDigest “UseLogonCredential”

image

By default when you install the hotfix on Windows 7 the value does not exist.  The default value/setting for this is 1 on the OS’s < 8.1/2012 R2 which indicates that they will by default store cleartext credentials in LSA memory for this SSP (On 8.1+ the default is 0 i.e. not stored wdigest not enabled).

For a practical demo of the effectiveness of this I’ve included a couple of screenshots below of wce –w with and without the registry key applied on two Win7 systems.

Without the registry value in place and KB2871997 just “installed”

image

With the registry value created and set to 0 with KB2871997 installed

image

I plan to follow this post up with two more entries:

2 – How to easily setup some Windows Event Forwarding for DC’s to see if/where you may have Wdigest in use in your environment.

3 – How to setup a GPP to set this registry key across your environment.