Windows Server 2019 Updates Impacting Active Directory: Part 1
The November 9, 2021 “Patch Tuesday” update to Windows Server 2019 includes four updates to the way Active Directory behaves. Two of these lay the groundwork for security features that will go into effect with the April 2022 update cycle. Now is the time to start planning to avoid surprises.
Here in Part 1 I discuss the two most critical updates; Part 2 of this blog series features two more.
KB5008380—Authentication updates (CVE-2021-42287)
This update adds requestor details to Kerberos Privileged Attribute Certificate (PAC). When subsequent service tickets are generated, it verifies that the account that requested the TGT is the same account referenced in the service ticket.
IMPORTANT: An update is available as the initial bits have known issues that resulted in authentication failure under certain circumstances. See November 14, 2021—KB5008602(OS Build 17763.2305) Out-of-band. If you are experiencing unusual authentication errors, you may want to give it a read. At least one Microsoft Identity Manager 2016 installation threw Event ID 10 with event source Microsoft.ResourceManagement.PortalHealthSource. More information here.
KB5008380 is intended to mitigate a known escalation of privilege exploit. The update immediately adds requestor details to a Kerberos Privileged Attribute Certificate (PAC). When subsequent service tickets are generated, Active Directory verifies that the account that requested the TGT is the same account referenced in the service ticket.
The additional information in the PAC is intended to address possible spoofing that allows potential attackers to cause the Key Distribution Center (KDC) to create a service ticket with a higher privilege level than that of the compromised account.
Mitigation consists of the installation of Windows updates on all devices that host the domain controller role and read-only domain controllers (RODCs). Pay special attention as the update needs to be applied to all domain controllers, including any that are newly promoted. Make sure this KB is part of your domain controller build or your default domain controller policy. Any domain controller not having this update will be incompatible with those that do.
A new registry entry, PacRequestorEnforcement, is added under the key HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Kdc with a default value of 1. This puts the system into audit mode where event IDs 35 through 38 are added to the Kdcsvc logs. I strongly encourage reviewing these events regularly to understand any errors or warnings. Once you are satisfied there are no problems, you can modify the value to 2 putting the system into Enforcement mode.
Read the full documentation here.
KB5008383—Active Directory permissions updates (CVE-2021-42291)
This update adds permissions checks during LDAP Add and Modify operations on attributes of computer or a computer-derived objects. It audits cases where suspicious permissions may be placed on a computer including the securityDescriptor attribute.
For some background, when a user creates a computer object, they are the owner-creator of the object and have Implicit Owner (full control) rights. An Implicit Owner has full control and can modify security-sensitive attributes of the object.
When an administrator adds an object to a domain, the Domain Admins group becomes the owner of the object. When a non-administrator adds a computer to the domain, that user become the Implicit Owner. The default setting in a domain allows any user to join up to 10 computers to the domain. (As an aside, in almost 20 years of AD audits, I’ve only witnessed a small handful of domains where the default has been modified).
After this update is applied:
- Authorization verification when users without domain administrator rights attempt an LDAP Add operation for a computer-derived object. This includes an Audit-By-Default mode that audits when such attempts occur without interfering with the request, an Enforcement mode that blocks such attempts, and a Disable mode.
- Authorization verification confirms if the user is allowed to write the security descriptor without Implicit Owner privileges. This also includes an Audit-By-Default mode that audits when such attempts occur without interfering with the request and an Enforcement mode that blocks such attempts, and a Disable mode.
A series of event IDs are added to the Directory Services log that record the audit step as well as errors if Enforcement mode is selected.
With the April 2022 update, the Disable mode will be removed and if Audit mode has not been set, the default mode will be switched to Enforcement.
Under normal circumstances, there is probably no harm in setting this to Enforcement mode. If you’re the cautious type – and you should be when it comes to Active Directory changes – monitor the Directory Services event log for a period to determine possible conflicts before setting to Enforcement.
The documentation for this KB is quite long so don’t read it near bedtime or it might cure your insomnia. Find it here.
This blog is continued in Part 2.
If your organization needs assistance with Active Directory, our expert team can help! Contact us here.