Search This Blog

Tuesday, November 28, 2017

"Protected Users" group in Active Directory to protect privileged accounts

I usually follow the updates to Active Directory, but only recently I found out that since Windows Server 2012 R2 there is a new secuirty group called "Protected Users" in Active Directory to protect the most privileged accounts in AD.

User accounts when put into this group will be forced not to use weaker encryption types and will be forced to re-authenticate every four hours:

  • The member of the Protected Users group cannot authenticate by using NTLM, Digest Authentication, or CredSSP. On a device running Windows 8.1, passwords are not cached, so the device that uses any one of these Security Support Providers (SSPs) will fail to authenticate to a domain when the account is a member of the Protected User group.
  • The Kerberos protocol will not use the weaker DES or RC4 encryption types in the pre-authentication process. This means that the domain must be configured to support at least the AES cipher suite.
  • The user’s account cannot be delegated with Kerberos constrained or unconstrained delegation. This means that former connections to other systems may fail if the user is a member of the Protected Users group.
  • The default Kerberos Ticket Granting Tickets (TGTs) lifetime setting of four hours is configurable by using Authentication Policies and Silos, which can be accessed through the Active Directory Administrative Center (ADAC). This means that when four hours has passed, the user must authenticate again.

No comments:

Post a Comment