This is a security update for Windows XP, operating under Service Pack 2 and Service Pack 3. Overall, this patch is enhancing the strength of authentication credentials in various situations, using Integrated Windows Authentication (IWA). While it does not protect directly against specific threats, the patch allows various applications to use Extending Protection for Authentication (EPA), defending them against credential forwarding. Once EPA is enabled, the Authentication requests will relay with both Service Principal Names (SPN) from the server that client tries to connect to, and to the Transport layer Security (TLS) channel used by IWA. Anyway, in order to have the Extended Protection enabled, two registry subkey settings should be modified, after the update is installed. First, there is “HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\LSA\SuppressExtendedProtection” which must be set to zero to enable protection. If this is deleted or set to zero, the EPA is disabled. The second one is “KEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\LmCompatibilityLevel" which should be modified to 3 and will enable NT LAN Manager version 2 (NTLMv2). Restarting the computer after previous mentioned registry modifications is mandatory. Backup the registry before making any changes in it.
This update can be removed from "Add or remove programs" option in Control Panel, by checking the "Show updates options" box in order to display it.
Comments (13)