[German]Microsoft recommends installing the November 2021 security updates on Windows servers that operate as DCs as protection against a domain takeover caused by the vulnerabilities CVE-2021-42287 and CVE-2021-42278. And Micrsooft also recommends enabling so-called enforcement mode to protect against the exploit on all Active Directory domain controllers (in Juli 2022 this will be activated by an update). However, a blog reader now pointed out that this causes collateral damage and Linux clients are often unable to do an AD-join.
Advertising
Some details about the DC enforcement mode
In November 2021 patchday, Windows updates fixed vulnerabilities CVE-2021-42287 and CVE-2021-42278. These vulnerabilities can be abused to take over an Active Directory domain. On December 20, 2021, Microsoft brought it up again in the Techcommunity post SAM Name impersonation, warning about the danger of unsecured servers allowing an attacker to create a domain administrator user in an Active Directory environment. All it takes is compromising a regular user in the domain to gain the privileges of a domain administrator.
To protect a Windows domain controller environment and avoid takeover, administrators must keep the following in mind or take the following steps:
- Update all devices hosting the Active Directory domain controller role to the November 9, 2021 (or later) cumulative security update.
- After the update has been installed on all Active Directory domain controllers for at least 7 days, Microsoft strongly recommends enabling enforcement mode on all Active Directory domain controllers.
Microsoft also announced that with the enforcement phase update on July 12, 2022, enforcement mode would be forcibly enabled on all Windows domain controllers. I had pointed this out in the blog post Microsoft warns against Active Directory domain takeover due to unpatched vulnerabilities and linked to the relevant Microsoft pages.
Issues with Enforcement Mode
German blog reader Marco D.came across my German blog post Microsoft-Warnung vor Active Directory Domain-Übernahme wegen nicht gepatchter Schwachstellen (the German edition of the article linked obove). He contacted me by mail, an pointed out (thanks for that) that Microsoft's recommendation to enable enforcement mode on all Windows domain controllers can be problematic. He wrote:
Microsoft recommends setting Enforcement Mode. We did that and found that Linux clients could no longer be added to AD and that CNO accounts (accounts for cluster objects, e.g. SQL Server) could no longer renew their password.
After we disabled enforcement mode, both worked again.
Maybe this is worth a hint for all readers, because especially the latter one is probably only noticed without specific monitoring or log evaluation, when really problems occur.
Marco pointed me to the Technet forum post KB5008380 Kerberos PAC – Password Changes auf CNOs. There someone writes that besides Linux AD Joins, which were no longer possible in some Distris after the Enforcement Mode, SCOM now also reports errors regarding computer password updates on virtual failover cluster objects (CNOs):
Advertising
The computer object associated with the cluster network name resource 'Cluster Name' could not be updated in domain 'domain.com during the Password change operation.
The cluster identity 'Cluster Host' may lack permissions required to update the object
Also at Redhat there is a post Microsoft CVE-2021-42287 and PacRequestorEnforcement: Unable to join Linux instance to Active Directory domain rom January 17, 2022, which points out the problems with Windows Update KB5008380 and the enforcement mode.
Similar articles
Patchday: Windows 10-Updates (November 9, 2021)
Windows 10/Windows Server: Out-of-band updates fixes DC authentification error (2021/11/14)
November 2021 Patchday issues: WSUS, DC, Events
Microsoft warns against Active Directory domain takeover due to unpatched vulnerabilities
Advertising