Using Protected Groups to Secure Privileged User Accounts

Article
03/01/2018

Benefits

Members of the Protected Users group who are signed-on to Windows 8.1 devices and Windows Server 2012 R2 hosts can no longer use:

Default credential delegation (CredSSP) - plaintext credentials are not cached even when the Allow delegating default credentials policy is enabled
Windows Digest - plaintext credentials are not cached even when they are enabled
NTLM - NTOWF is not cached
Kerberos long term keys - Kerberos ticket-granting ticket (TGT) is acquired at logon and cannot be re-acquired automatically
Sign-on offline - the cached logon verifier is not created

If the domain functional level is Windows Server 2012 R2 , members of the group can no longer:

Authenticate by using NTLM authentication
Use Data Encryption Standard (DES) or RC4 cipher suites in Kerberos pre-authentication
Be delegated by using unconstrained or constrained delegation
Renew user tickets (TGTs) beyond the initial 4-hour lifetime

Requirements

The PDCe role should be hosted on a domain controller that runs Windows Server 2012 R2 to create the Protected Users security group.

Hosts must run Windows 8.1, Windows Server 2012 R2 or later to provide client-side restrictions for Protected Users. Members of this group have no additional protection if they are logged on to a device that runs a version of Windows earlier than Windows 8.1.

Domain controller-side restrictions for Protected Users require the domain functional level to be Windows Server 2012 R2 or later.

Action

Simply add users to the group, using UI tools such as Active Directory Administrative Center (ADAC) or Active Directory Users and Computers, or a command-line tool such as Dsmod group, or the Windows PowerShellAdd-ADGroupMember cmdlet

To track events, enable the following logs on domain controllers:

Microsoft-Windows-Authentication/ProtectedUserFailures-DomainController
Microsoft-Windows-Authentication/ProtectedUserSuccesses-DomainController

Impact

Members of the Protected Users group must be able to authenticate by using Kerberos with Advanced Encryption Standards (AES). The built-in administrator as well as any account, which has a password that was changed at a domain controller that runs an earlier version of Windows Server, is locked out. Therefore, follow these best practices:

Do not test in domains unless all domain controllers run Windows Server 2008 or later.

Change password for each user before adding the account to the Protected Users group or ensure that the password was changed recently on a domain controller that runs Windows Server 2008 or later.

Membership of the Protected Users also affect the Kerberos TGT lifetime and renewal times:

Kerberos Policy	Default	Protected Users
Maximum lifetime for user ticket	10 hours (600 minutes)	240 minutes
Maximum lifetime for user ticket renewal	7 days (10,080 minutes)	240 minutes

Validation – Success

Connecting to server using RDP. Using the DNS name of the server results in Kerberos being used for authentication

Log Name: Microsoft-Windows-Authentication/ProtectedUserSuccesses-DomainController
Source: Microsoft-Windows-Kerberos-Key-Distribution-Center
Date: 2/5/2018 10:38:39 PM
Event ID: 303
Task Category: None
Level: Information
Keywords:
User: SYSTEM
Computer: RootDC01.Litware.com

Description:
A Kerberos ticket-granting-ticket (TGT) was issued for a member of the Protected User group.

Account Information:
    Account Name:        BBanner
    Supplied Realm Name:
    User ID:            LITWARE\BBanner
Authentication Policy Information:
    Silo Name:
    Policy Name:        AuthPol - Tier_0_Accounts_Devices
    TGT Lifetime:        240
Device Information:
    Device Name:
Service Information:
    Service Name:        krbtgt/LITWARE
    Service ID:        LITWARE\krbtgt
Network Information:
    Client Address:        ::ffff:10.10.20.24
    Client Port:        49204
Additional Information:
    Ticket Options:        0x78
    Result Code:        0x0
    Ticket Encryption Type:    0x7
    Pre-Authentication Type:    2
Certificate Information:
    Certificate Issuer Name:
    Certificate Serial Number:
    Certificate Thumbprint:
Certificate information is only provided if a certificate was used for pre-authentication.
Pre-authentication types, ticket options, encryption types and result codes are defined in RFC 4120.

Log Name: Microsoft-Windows-Authentication/ProtectedUserSuccesses-DomainController
Source: Microsoft-Windows-Kerberos-Key-Distribution-Center
Date: 2/5/2018 10:38:39 PM
Event ID: 304
Task Category: None
Level: Information
Keywords:
User: SYSTEM
Computer: RootDC01.Litware.com

Description:
A Kerberos service ticket was issued for a member of the Protected User group.
Account Information:
    Account Name:        BBanner@LITWARE.COM
    Account Domain:        LITWARE.COM
    Logon GUID:        {9fdc2786-483a-81c3-17ce-43276cb9e55e}
Authentication Policy Information:
    Silo Name:
    Policy Name:
Device Information:
    Device Name:
Service Information:
    Service Name:        ROOTMS04$
    Service ID:        LITWARE\ROOTMS04$
Network Information:
    Client Address:        ::ffff:10.10.20.24
    Client Port:        49205
Additional Information:
    Ticket Options:        0x7B
    Ticket Encryption Type:    0x1F
    Failure Code:        0x0
    Transited Services:    -
This event is generated every time access is requested to a resource such as a computer or a Windows service. The service name indicates the resource to which access was requested.
This event can be correlated with Windows logon events by comparing the Logon GUID fields in each event. The logon event occurs on the machine that was accessed, which is often a different machine than the domain controller which issued the service ticket.
Ticket options, encryption types, and failure codes are defined in RFC 4120.

Log Name: Security
Source: Microsoft-Windows-Security-Auditing
Date: 2/5/2018 10:40:40 PM
Event ID: 4768
Task Category: Kerberos Authentication Service
Level: Information
Keywords: Audit Success
User: N/A
Computer: RootDC01.Litware.com

Description:
A Kerberos authentication ticket (TGT) was requested.

Account Information:
    Account Name:        BBanner
    Supplied Realm Name:    LITWARE.COM
    User ID:            LITWARE\BBanner
Service Information:
    Service Name:        krbtgt
    Service ID:        LITWARE\krbtgt
Network Information:
    Client Address:        ::ffff:10.10.20.24
    Client Port:        49239
Additional Information:
    Ticket Options:        0x40810010
    Result Code:        0x0
    Ticket Encryption Type:    0x12
    Pre-Authentication Type:    2
Certificate Information:
    Certificate Issuer Name:
    Certificate Serial Number:
    Certificate Thumbprint:
Certificate information is only provided if a certificate was used for pre-authentication.
Pre-authentication types, ticket options, encryption types and result codes are defined in RFC 4120.

Validation – Failure

When connecting over RDP, using the ip address of the server results in NTLM being used for authentication, which results in a failed authentication.

Log Name: Microsoft-Windows-Authentication/ProtectedUserFailures-DomainController
Source: Microsoft-Windows-NTLM
Date: 2/5/2018 10:50:23 PM
Event ID: 100
Task Category: None
Level: Error
Keywords:
User: SYSTEM
Computer: RootDC01.Litware.com

Description:
NTLM authentication failed because the account was a member of the Protected User group.
Account Name:    BBanner
Device Name:    ROOTMS01
Error Code:    0xC000006E

Log Name: Security
Source: Microsoft-Windows-Security-Auditing
Date: 2/5/2018 10:50:23 PM
Event ID: 4822
Task Category: Credential Validation
Level: Information
Keywords: Audit Failure
User: N/A
Computer: RootDC01.Litware.com