Consistently patch these AD updates or your unpatched Domain Controllers will fail
A series of welcome Active Directory updates from Microsoft that patch serious vulnerabilities need careful review by IT admins. They include a fix that will break any unpatched domain controllers from July 2022, so patching will need to be highly consistent across enterprise IT estates: you have been warned.
(Domain controllers are AD servers used to authenticate users and control access to network resources. Most Windows domain networks have more than one; smaller ones if just for resilience reasons.)
That’s according to new guidance from Microsoft issued alongside the Active Directory updates; rolled out as part of November’s Patch Tuesday (which fixed 55 bugs, including six critical and two under active attack. The Zero Day Initiative’s overview of the patches and vulnerabilities is worth a read and found here.)
As security specialist Nathan McNulty noted: “It is really, really important that everyone responsible for patching AD is thoroughly reading these KB’s I can guarantee there will be future communication on this, but those who are completely oblivious may find themselves with non-functioning DC’s.”
Active Directory updates: Look out for CVE-2021-42287
Among four welcome Active Directory updates is CVE-2021-42287, for example, which addresses a security bypass vulnerability that affects the Kerberos Privilege Attribute Certificate (PAC) and allows potential attackers to impersonate domain controllers, Microsoft said. The fix doesn’t look onerous, but deserves flagging to avoid any issues, particularly for smaller organisations paying less attention to guidance.
As Microsoft noted on November 9: “The July 12, 2022 release will transition all Active Directory domain controllers into the Enforcement phase. The Enforcement phase will also remove the PacRequestorEnforcement registry key completely. As a result, Windows domain controllers that have installed the July 12, 2022 update will no longer be compatible with
- Domain controllers that did not install the November 9, 2021 or later updates.
- Domain controllers that installed the November 9, 2021 or later updates but have not yet installed the April 12, 2022 update AND who have a PacRequestorEnforcement registry value of 0.
Microsoft added: “To protect your environment and avoid outages, please complete the following steps:
- Update all devices that host the Active Directory domain controller role by installing the November 9, 2021 update.
- After the November 9, 2021 update has been installed on all Active Directory domain controllers for at least 7 days, we strongly suggest that you enable Enforcement mode on all Active Directory domain controllers.
- Starting with the July 12, 2022 Enforcement Phase update, Enforcement mode will be enabled on all Windows domain controllers and will be required.