Active Directory security updates: What you need to know

Several years ago I documented Windows updates that needed additional registry keys to be set before you are fully patched. These updates can be hard to keep track of. Microsoft recently released several more updates that need action on your part. The Microsoft Japanese security team documented several updates released in November 2021 that need more registry keys or actions taken to better protect Active Directory. These updates will ultimately be enforced, but in the meantime, these settings should be on your radar and tested for their impact.

Active Directory elevation of privilege vulnerability

The first patch addresses a security bypass vulnerability (CVE-2021-42278) that allows attackers to impersonate a domain controller by using computer account spoofing. Included in this update is increased validation inspections on the sAMAccountName and UserAccountControl attributes of computer accounts created or modified by users. It reviews for users who do not have administrator rights for machine accounts that should not be able to impersonate a domain controller.

After the update user and computer accounts are checked for the following:

ObjectClass=Computer (or subclass of computer) accounts must have UserAccountControl flags of UF_WORKSTATION_TRUST_ACCOUNT or UF_SERVER_TRUST_ACCOUNT

ObjectClass=User must have UAC flags of UF_NORMAL_ACCOUNT or UF_INTERDOMAIN_TRUST_ACCOUNT

Next, the sAMAccountName of a computer account whose UserAccountControl contains the UF_WORKSTATION_TRUST_ACCOUNT flag is checked to ensure it has a single dollar sign. If this isn’t true, a failure code of 0x523 ERROR_INVALID_ACCOUNTNAME is logged as a Directory-Services-SAM event ID 16991 in the system event log.

You will see an event 16990 in your event logs when the security account manager blocks a non-administrator from creating an Active Directory account in this domain with mismatched ObjectClass and UserAccountControl account type flags.

Uniqueness verification of user principal and service principal names

The next protection of elevation of privileges comes in the form of CVE-2021-42282. This adds verifications for user principal name (UPN) and service principal name (SPN) uniqueness. This feature has been backported to Windows 8, Server 2012.

Added is SPN alias uniqueness, which is new to all versions of Windows. SPN alias uniqueness verifications are on by default. You can turn these verifications off by modifying the 21st character of the dSHeuristics attribute, which is interpreted as a series of characters. The dSHeuristics attribute does not exist by default, but you can add it under the distinguished name CN=Directory Service,CN=Windows NT,CN=Services,CN=Configuration,DC=support,DC=local. Investigate why you need SPN aliases that are duplicates rather than being unique.

Active Directory security bypass vulnerability

The next Active Directory update of CVE-2021-42287 is not enabled, but the code is installed and It’s up to you to ensure your domain is ready for the impact of this update. This update fixes a security bypass vulnerability affects the Kerberos Privilege Attribute Certificate (PAC) and allows attackers to impersonate domain controllers. As noted in the update, “A compromised domain account might cause the Key Distribution Center (KDC) to create a service ticket with a higher privilege level than that of the compromised account. It accomplishes this by preventing the KDC from identifying which account the higher privilege service ticket is for.”

In the November updates, Microsoft added support for the PacRequestorEnforcement registry value, which allows you to transition to the enforcement phase early. On April 12, 2022, Microsoft removes the PacRequestorEnforcement setting of 0. Setting PacRequestorEnforcement to 0 after this update is installed will have the same effect as setting PacRequestorEnforcement to 1. The domain controllers (DCs) will be in deployment mode.

Microsoft recommends that seven days after you install the updates in your domain you enable enforcement mode. On July 12, 2022, enforcement mode will be enabled on all Windows domain controllers.

It’s highly recommended that you install the November updates to all domain controllers in your organization. You want them to be consistent in your environment and not be included in a mismatched between domain controllers. If you’ve verified that it’s OK to switch to deny authentication if your domain controller doesn’t include a requestor in your PAC, change the registry PacRequestorEnforcement value in KB5008380 to 2. This protects the domain controller from vulnerabilities by denying authentication if the PAC does not contain a requestor.

Security bypass vulnerability for Active Directory permissions

The next fix included in the November updates, CVE-2021-42291, addresses a security bypass vulnerability that impacts Active Directory permissions. This patch adds two protections. The first adds authorization verification when users without domain administrator rights attempt an LDAP add operation for a computer-derived object. This includes an audit-by-default mode that audits when such attempts occur without interfering with the request and an enforcement mode that blocks such attempts.

The second protection adds temporary removal of the implicit owner privileges when users without domain administrator rights attempt an LDAP modify operation on the securityDescriptor attribute. A verification occurs to confirm if the user would be allowed to write the security descriptor without implicit owner privileges. This also includes an audit-by-default mode that audits when such attempts occur without interfering with the request and an enforcement mode that blocks such attempts.

Once you’ve installed the November updates, look in your directory service event logs for event 3044 to 3056 on domain controllers. If you see an event that should not be occurring, you’ll see a notice such as event 3047 “The directory service detected an LDAP add request for the following object that normally would have been blocked for the following security reasons.” Once the patch goes into enforcement on April 12, 2022, these types of events will be blocked. Review your log files now to see if you will be impacted.

Bottom line, enable these protections early if you can. Review if your firm would be in a better protected position to enable these updates and their corresponding registry keys early, or if you will have side effects. Ensure that you understand now the side effects to your domain.