Extended Protection for Windows Authentication in IIS

We have just released a non-security update that allows administrators of IIS websites that use Integrated Windows Authentication (IWA) to protect against credential relaying. The feature is called “Extended Protection” and needs to be applied at multiple layers for it to be usable from IIS. An update to a previous Microsoft Advisory 973811 now adds the IIS fixes to the list of components that support Extended Protection. This non-security update is provided for IIS 6.0 on Windows Server 2003 and above.

To understand the actual issue that is being addressed with this feature please check out Microsoft Advisory 974926. An example of what a malicious user can do is use a phishing attack to cause a user to authenticate via NTLM and then forward the credentials to gain access to resources that require the user’s authentication credentials. The Microsoft Security Research and Defense blog has an in-depth analysis of the issue. IIS has also released a KB article 973917 on how to set this feature up.