Earlier this week I’ve been talking to a customer about the “Protected Users” group. You might have seen it appearing when introducing the first 2012 R2 domain controller. Here’s a good explanation on its purpose:
Protected Users is a new global security group to which you can add new or existing users. Windows 8.1 devices and Windows Server 2012 R2 hosts have special behavior with members of this group to provide better protection against credential theft. For a member of the group, a Windows 8.1 device or a Windows Server 2012 R2 host does not cache credentials that are not supported for Protected Users. Members of this group have no additional protection if they are logged on to a device that runs a version of Windows earlier than Windows 8.1. Source: TechNet: How to Configure Protected Accounts
The above is actually a bit misleading. The functionality was actually backported to Windows 2008 R2/Windows 2012 in the hotfix KB2871997 See blogs.technet.com: An Overview of KB2871997 for an explanation on this.
This group might be part of your organization’s strategy to reduce the attack surface for pass the hash. A great white paper on this can be found here: Mitigating Pass-the-Hash (PtH) Attacks and Other Credential Theft, Version 1 and 2
One of the things the Protected Users group ensures is that no NTLM hashes are available to be used or stolen. Now I wanted to see this for myself. There are various tools out there that are capable of listing the various secrets. I tried Windows Credential Editor (WCE) but that one didn’t work on (my) Windows 2012 R2. So I used Mimikatz. My setup: A 2012 R2 domain controller and a 2012 R2 member server. I’ve got 3 domain admins: one that has the remote desktop session open to the member server and then two that have a powershell runnning through runas. Of the latter one is a member of the Protected Users group:
Run as different user: SETSPN\john
Run as different user: SETSPN\thomas
As you can see John is an oldschool Domain Admin whereas Thomas has read the Mitigating PtH whitepaper and is a proud member of the Protected Users group. This is the PowerShell oneliner I used to dump the groups I care about: WHOAMI /GROUPS /FO CSV | ConvertFrom-Csv | where {$_."group name" -like "Setspn\*"}
Here you can see the Protected Users admin has no NTLM available:
Where the regular admin has NTLM available:
Here’s the difference from an attacker point of view:
Start Mimikatz –> Privilege::debug –> sekurlsa::logonpasswords And here are the goodies:
John:
Authentication Id : 0 ; 3529276 (00000000:0035da3c)
Session : Interactive from 0
User Name : john
Domain : SETSPN
Logon Server : SRVDC01
Logon Time : 2/24/2016 6:59:54 PM
SID : S-1-5-21-4274776166-1111691548-620639307-5603
msv :
[00000003] Primary
* Username : john
* Domain : SETSPN
* NTLM : 59884edfb057d0fec8cb7e0d571dc200
* SHA1 : 7e655db2b3a7e88fb0c50ca56416ae655469f09e
[00010000] CredentialKeys
* NTLM : 59884edfb057d0fec8cb7e0d571dc200
* SHA1 : 7e655db2b3a7e88fb0c50ca56416ae655469f09e
tspkg :
wdigest :
* Username : john
* Domain : SETSPN
* Password : (null)
kerberos :
* Username : john
* Domain : SETSPN.LOCAL
* Password : (null)
ssp :
credman :
Thomas:
Authentication Id : 0 ; 3493146 (00000000:00354d1a)
Session : Interactive from 0
User Name : thomas
Domain : SETSPN
Logon Server : SRVDC01
Logon Time : 2/24/2016 6:59:36 PM
SID : S-1-5-21-4274776166-1111691548-620639307-5602
msv :
[00010000] CredentialKeys
* RootKey : db1c2347608db0c4e2d89bbd6c328bf6f42671b7d88653cd4cc9af2713
e958f0
* DPAPI : 63adfe49948fca81c885933b3aa23eba
tspkg :
wdigest :
* Username : thomas
* Domain : SETSPN
* Password : (null)
kerberos :
* Username : thomas
* Domain : SETSPN.LOCAL
* Password : (null)
ssp :
credman :
As you can see the admin that’s a member of the Protected Users group does NOT have the NTLM hashes dumped. Wooptiedoo! Now think and test before you start adding the Domain Admins group to the Protected Users group! By no means you should do that! Here’s some good information on how to start with the Protected Users group and some additional caveats: How to Configure Protected Accounts
Here’s one from my side: after adding my admin user to the Protected Users group he was no longer to RDP to a 2012 R2 member server:
In words: A user account restriction (for example, a time-of-day restriction) is preventing you from logging on. For assistance, contact your system administrator or technical support.
Remote desktop to a Windows 2008 R2 worked fine with that account. It seems for my Protected User admin to be able to log on to a Windows 2012 R2 server it had to actualy use mstsc.exe /restrictedadmin and I had to enable Restricted Admin mode on the member server:
You can find that value below HKLM\SYSTEM\CurrentControlSet\Control\Lsa
If you want to know more about the Protected Users group and the Restricted Admin feature read up on both of them here: TechNet: Credentials Protection and Management or digital-forensics.sans.org:Protecting Privileged Domain Accounts: Restricted Admin and Protected Users
Some additional reading on Restricted Admin mode: Restricted Admin mode for RDP in Windows 8.1 / 2012 R2
2 Response to Protected Users Group
We had an issue at one of our customers, Members of the "Protected Users Group" are unable to create new DFS namespaces which are AD integrated. Error: \\domain.com\namespace: The Namespace cannot be queried. Access is denied. Advice from Microsoft Support is to temporarily remove the user from the protected users because it needs NTLM.
It's an old article, but one of the first when I was looking for why I was getting the "user account restriction" when connecting to a system with my account that was a member of the "protected users" group. I did not have to enable Restricted Admin mode, I had to RDP to the server using its domain name, instead of IP (kerberos only works on shortname and fqdn resources, by default).
Add Your Comment