"Protected Users": An essential security approach for privileged accounts

In the complex world of cybersecurity, protecting user accounts, particularly those with elevated privileges (= privileged accounts) is a priority. Microsoft has introduced a powerful feature to strengthen the security of these accounts within Active Directory environments: "Protected Users" or protected users. This targeted approach aims to provide an additional level of protection, enhancing the security of IT systems by identifying and protecting key users.

The security objective : Protecting sensitive accounts

The first question that arises is : who are the "Protected Users" ?

It is a designation attributed to user accounts deemed sensitive due to their critical role in accessing information system (IS) resources.

This generally includes system administrators, CISOs, IT directors, service accounts, and other users (external such as auditors, consultants, and remote maintenance providers, managed IT service providers) who hold extensive access to IS resources.

The fundamental objective of this functionality is to improve the security and control of these accounts by reducing potential vulnerability to attacks and preventing privilege escalation.

Advanced protection: How does it work?

This security group is developed as part of a strategy aimed at regulating credential exposure within the enterprise. Members of this group automatically benefit from non-configurable protection measures applied to their accounts. Inclusion in the Protected Users group or protected users group is designed to be restrictive and proactively secure by default. The only way to modify these protections for an account is to remove it from the security group.

The conditions to guarantee device protection for members of the "Protected Users" group are as follows :

• The global security group "Protected Users" is replicated across all domain controllers in the account.
• Default support for Windows 8.1 and Windows Server 2012 R2 is ensured. Security Advisory 2871997 extends this support to Windows 7, Windows Server 2008 R2, and Windows Server 2012.
• This implies that users must belong to domains configured at the Windows Server 2012 R2 domain functional level or higher.

When a user account is added to the "protected users" group, the following protections are activated (Source Microsoft):

• Credential Delegation (CredSSP) does not cache user credentials in plaintext
• As of Windows 8.1 and Windows Server 2012 R2, Windows Digest does not cache user credentials in plaintext, even when Windows Digest is enabled.
• NTLM does not cache user credentials in plaintext or the one-way NT function (NTOWF).
• Kerberos no longer creates DES or RC4 keys. Furthermore, it does not cache user credentials in plaintext or long-term keys after acquiring the initial TGT.
• Since no verifier is cached during login or unlock, offline login is no longer supported.
• Once the user account is added to the Protected Users group, protection begins when the user logs in to the device.

Member accounts of the Protected Users group that authenticate on a Windows Server 2012 R2 domain can no longer:

• Authenticate using NTLM authentication
• Use DES or RC4 encryption types in Kerberos pre-authentication
• Renew Kerberos TGT tickets beyond the initial 4-hour lifetime.
• Non-modifiable configurations for TGT ticket expiration are set individually for each account belonging to the "Protected Users" group.

In general, TGT ticket lifetime and renewal are established by the domain controller based on domain policies, namely the maximum user ticket lifetime and maximum ticket renewal lifetime. However, for members of the "Protected Users" group, the value of 600 minutes is specified for these domain policies.

Protection against threats

One of the main motivations behind activating "Protected Users" is reducing the risk of targeted attacks. Threats such as token impersonation are seriously hindered thanks to these reinforced mechanisms. Indeed, by improving authentication mechanisms, this functionality complicates the task of attackers by restricting their ability to compromise these key accounts.

Selective by nature : "Protected users"?

An important characteristic of "Protected Users" is that their activation is selective. This means administrators have full control to designate which accounts to protect.

From our perspective, Protected Users should be active for everyone (standard accounts and privileged accounts) unless there are compatibility issues and lowering the authentication security for these accesses is acceptable or mitigated by other mechanisms. The main use case where it poses problems is for offline device authentication. Authentication does not work in this case, which can be problematic for mobile users.

Compatibility : A necessary evaluation

Implementing "Protected Users" requires careful evaluation of existing applications and services within your organization's IS. The objective is to ensure that these systems are compatible with reinforced security mechanisms and to properly identify any potential issues.

It is important to note that certain older or specific applications may encounter compatibility issues with this functionality. Microsoft recommends avoiding obsolete technologies. Careful management is needed to avoid any service interruption.

Updates and best practices : The key to security

To maintain strong security for "Protected Users" accounts, it is essential to keep systems and domain controllers up to date. This ensures that the latest security improvements are in place. Furthermore, following security best practices for the entire Active Directory environment is a must.

PROVE IT by Rubycat: Protect your "Protected Users" with a robust solution certified by the ANSSI

We are the publisher of a software solution, PROVE IT, specialized in traceability and control of sensitive access (third-party access and privileged users) to information system equipment. It is a privileged account management solution (PAM – Privileged Access Management) with the implementation of an IT bastion that includes dedicated functionality for protected users. PROVE IT is certified with the ANSSI security visa CSPN.

Reinforced protection

PROVE IT offers role-based access control (RBAC) that allows you to define specific authorizations for each privileged user, including "Protected Users". This means each user receives only the privileges necessary to accomplish their tasks, in accordance with the principle of least privilege.

By limiting access to critical resources, the PROVE IT administration bastion significantly reduces the risks of abuse, hacking, or exploitation of data and systems. "Protected Users" have only the necessary access, which reduces the potential attack surface.

Traceability and security

All activities performed via PROVE IT are recorded (particularly in video format) systematically. This complete traceability is essential for auditing and quickly detecting suspicious activities. For "Protected Users", this means it is possible to quickly identify any behavior that could damage the IS.

Credentials management

The security of privileged accounts is a critical issue, particularly for "Protected Users". PROVE IT integrates centralized credential and secret management features through its secondary credentials vault. This strengthens the security of privileged accounts, as access to sensitive credentials is restricted, in accordance with the principle of least privilege.

An integrated approach to security

The PROVE IT solution by Rubycat offers an integrated approach to privileged account security, allowing comprehensive control, monitoring, and auditing of "Protected Users" activities.

In conclusion

"Protected Users" are an essential element of the privileged account security strategy in Active Directory environments. Integrating this user group strengthens the protection of privileged accounts. However, their activation must be carried out with caution to avoid any disruption to existing services and infrastructure.