Kerberos AppContainer Security Feature Bypass Vulnerability (CVE-2021-31962, CVSSv3 9.4/8.2)

This month’s Patch Tuesday, Microsoft addresses a vulnerability that exists in the Windows Kerberos implementation for AppContainers. With a CVS v3 score of 9.4/8.2 this is a critical update that should be remediated with the highest priority.

About AppContainers

Isolation is the primary goal of an AppContainer execution environment. By isolating an application from unneeded resources and other applications, opportunities for malicious manipulation are minimized. Granting access based upon least-privilege prevents applications and users from accessing resources beyond their rights. Controlling access to resources protects the process, the device, and the network.

Managing identity and credentials, the AppContainer prevents the use of user credentials to gain access to resources or login to other environments. The AppContainer environment creates an identifier that uses the combined identities of the user and the application, so credentials are unique to each user/application pairing and the application cannot impersonate the user.

About Service Principal Names

A service principal name (SPN) is a unique identifier of a service instance. SPNs are used by Kerberos authentication to associate a service instance with a service logon account. This allows an application to request that the service authenticate an account even if the client does not have the account name.

Before the Kerberos authentication service can use an SPN to authenticate a service, the SPN must be registered on the account object that the service instance uses to log on. A given SPN can be registered on only one account.

About this vulnerability

A vulnerability in Windows Kerberos allows an attacker to bypass Kerberos-based authentication and potentially authenticate to an arbitrary service principal name (SPN), allowing a connection without a password. This could allow an attacker to potentially bypass authentication to access any service that is accessible through one or more SPNs.

Disclosure

The vulnerability was responsibly disclosed by James Forshaw of Google Project Zero and is therefore not yet being exploited in the wild.

COMMON VULNERABILITY SCORING

With a CVSS score of 9.4/8.2, the vulnerability has the potential to be both directly impactful and is also exceptionally simple to exploit.

Affected Operating Systems

All supported Windows versions and Windows Server versions are affected, as far back as Windows Server 2008 and Windows 8.1. Both Full installations and Server Core installations of Windows Server are affected.

Call to action

Microsoft strongly recommends you to install the (cumulative) June 2021 update for the Operating Systems in your networking environment.

As the cumulative updates for recent versions of Windows and Windows Server also contain the quality improvements as released as part of the Preview update of May 20th, 2021, roll-out updates in test environments and/or rings to detect problems quickly.

0  

SAML Authentication Hijack Vulnerability on Citrix ADC and Citrix Gateway Appliances (CVE-2020-8300)

Citrix SAML

Today, I was notified that certain Citrix ADC (formerly known as NetScaler ADC) and Citrix Gateway appliances are vulnerable to a SAML authentication hijack through a phishing attack to steal a valid user session.

 

About the vulnerability

If Citrix ADC or Citrix Gateway appliances are not upgraded to the recommended versions and if the SAML configuration is not configured according to the recommended settings, the Citrix ADC or Citrix Gateway appliances may allow an attacker to hijack a valid user session.

The flaw affects the configuration of the Security Assertion Markup Language (SAML) features. SAML is, an XML-based markup language. often used for exchanging authentication and authorization data between parties with the purpose of offering single sign-on (SSO).

In the case of Citrix ADC and Citrix Gateway appliances, end-users can use SAML to:

  • Sign in to enterprise apps that are published behind these appliances
    The Citrix ADC and Citrix Gateway appliances are configured as a SAML Service Provider (SP) in this case
  • When these apps  make requests to authenticate, they may send SAML packets to Citrix ADC and Citrix Gateway appliances.
    In this case, the appliances act as a SAML Identity Provider (IdP).

The vulnerability was responsibly disclosed to Citrix by ChenNan of Chaitin Security Research Lab, Wolfgang Ettlinger and Marc Nimmerrichter of Certitude Consulting.

 

Affected appliances

Only Citrix ADC and Citrix Gateway appliances models 4000-WO, 4100-WO, 5000-WO, and 5100-WO are vulnerable.

These devices are only vulnerable when they are configured as a SAML service provider (SP), as a SAML Identity Provider (IdP), or both.

The following supported versions of Citrix ADC and Citrix Gateway are affected:

  • Citrix ADC and Citrix Gateway 13.0. before 13.0-82.41
  • Citrix ADC and Citrix Gateway 12.1 before 12.1-62.23
  • Citrix ADC and NetScaler Gateway 11.1 before 11.1-65.20
  • Citrix ADC 12.1-FIPS before 12.1-55.238

The vulnerability has already been addressed in Citrix-managed cloud services such as Citrix Gateway Service and Citrix Secure Workspace Access. Customers using Citrix-managed services do not need to take any additional action.

 

Call to Action

When you use Citrix ADC and/or Citrix Cloud Gateway as a SAML SP, SAML IdP, or both, upgrade your organization’s appliance(s) to at least the following versions:

  • Citrix ADC and Citrix Gateway 13.0-82.41
  • Citrix ADC and NetScaler Gateway ADC 12.1-62.23
  • Citrix ADC and NetScaler Gateway 11.1-65.20
  • Citrix ADC 12.1-FIPS 12.1-55.238

Then, configure SAML correctly, as described in the Citrix Application Delivery Controller and Citrix Gateway – SAML Configuration Reference Guide:

  • Configure an expression for relayStateRule in the samlAction command.
    The expression must contain the list of published domains that end-users connect to before being redirected to the authentication virtual server. You must specify the starting of the domain with ^ along with a forward slash / at the end of the expression.
  • In the SAML IdP profile, configure acsURLRule that takes an expression of the list of applicable service provider URLs for this IdP.
    This expression depends on the SP being used. If Citrix ADC is configured as SP, the ACS URL will be https://<SP-domain_name>/cgi/samlauth. You must specify the starting of the domain with ^ along with the dollar sign $ at the end of the string.

Note:
If the Citrix ADC appliance is partitioned, then ensure that you update the configuration on all the individual partitions, including the default.

0  

I’m presenting two more Active Directory and Azure AD Better Together webinars

After the huge success of my previously co-presented Active Directory and Azure AD Better Together webinars for their US audience, Netwrix and I have decided to organize these webinars again for people in Europe, Africa and the Middle-East.

On June 23rd and June 25th, Netwrix’ Russel McDermott and I discuss how Active Directory and Azure AD are better together.

You’ll learn how you can benefit from integrating your on-premises Active Directory Domain Services environment with Azure AD, how to harden your hybrid environment, how to configure Azure AD tools and features properly to get more value out of them, and how to effectively monitor what’s happening across your hybrid IT infrastructure.

About the webinars

Whether you’re already building your cloud infrastructure or are still considering your strategy, enroll in this free online course to find out why Active Directory and Azure AD are better together.

WEBINAR1. GETTING MAXIMUM VALUE FROM INFRASTRUCTURE SECURITY SERVICES

June 23, 2021 3PM Central European Summer Time (CEST)

The Microsoft Cloud offers a wealth of benefits, from powerful enterprise applications and built-in high availability to predictable costs. But most organizations still need their on-premises IT environment as well. Fortunately, there are proven strategies for making your trusted Active Directory environment and your shiny new Azure AD tenant work together, enabling a seamless user experience and strong security.

In this webinar, I’ll share my expertise for making that happen. Join this session to learn:

  • The benefits of using Active Directory and Azure AD together
  • How to properly configure infrastructure security services, including Azure AD Conditional Access, Multi-factor Authentication (MFA), Connect Health, Identity Protection, and Password Protection
  • How to track both on-prem AD logins and Azure AD sign-ins in one dashboard
  • How to quickly detect and report on security changes in AD and Azure AD

WEBINAR 2. HARDENING YOUR HYBRID ENVIRONMENT

June 25, 2021 Central European Summer Time (CEST)

We already know the principle of hardening for on-premises systems, apps and services. Now, let’s apply it to the Microsoft Cloud as well!

I’ll show you the default settings in Azure AD and explain why they aren’t appropriate for all organizations. By looking under the covers of Azure AD, you’ll know when to dial the buttons that govern guest access, app consent and access to the Azure AD admin portal. I’ll sprinkle some Conditional Access, Microsoft Defender for Identity and Azure Log Analytics goodness on top of these settings to keep you on top of all things Azure AD.

In this session you’ll find out:

  1. What happens if you use the default Azure AD settings
  2. How to harden your Active Directory, Azure AD and Microsoft 365
  3. How to easily track and report on security and configuration changes in Azure AD
  4. How to secure the sensitive data you store in Microsoft 365

Join us!

Get ahead of the field and kickstart the directory overhaul for your organization!
Register here.

Note:
These webinars are offered free of charge, thanks to the sponsoring by Netwrix. By signing up for these webinars you agree to their privacy policy.

About Netwrix

Netwrix logoNetwrix empowers information security and governance professionals to reclaim control over sensitive, regulated and business-critical data, regardless of where it resides.

Over 10,000 organizations worldwide rely on Netwrix solutions to secure sensitive data, realize the full business value of enterprise content, pass compliance audits with less effort and expense, and increase the productivity of IT teams and knowledge workers. Founded in 2006, Netwrix has earned more than 150 industry awards and been named to both the Inc. 5000 and Deloitte Technology Fast 500 lists of the fastest growing companies in the U.S.

2  

Preparing Active Directory for Windows 10 version 21H1

Microsoft has released a new version of Windows 10, dubbed version 21H1. This version brings new functionality that many organizations are eager to utilize. In many organizations, Windows-based devices are joined to Active Directory Domain Services (AD DS), so devices can be managed centrally and end-users can sign-in on any domain-joined device of their liking.

A new Windows version means that Active Directory needs to be properly prepared. In this blogpost, I’ll show you how to prepare Active Directory for Windows 10, version 21H1:

Group Policy

Windows 10, version 21H1 comes with ten new Group Policy settings. To centrally manage Group Policy, you can update the Group Policy Central Store with the new Group Policy template (*.admx) and Group Policy language (*.adml) files. This way, you can centrally manage the versioning of Group Policy templates.

Note:
If your organization doesn’t use the Group Policy Central Store feature, yet, now is a good time to implement it.

You can download the Download Administrative Templates (.admx) for Windows 10 May 2021 Update (21H1) from the Microsoft Download Center. This download includes *.adml files for the Czech, Danish, German, Greek, English, Spanish, Finnish, French, Hungarian, Italian, Japanese, Korean, Norwegian, Dutch, Polish, Portuguese, Russian, Swedish, Turkish and Chinese languages.

Copy the new PolicyDefinitions folder over the existing PolicyDefinitions folder in the Active Directory System Volume (SYSVOL) share to update the Group Policy Central Store.

When you’re a fan of Microsoft’s security baselines, you can download and implement the Security baseline (final) for Windows 10, version 21H1.

Windows Activation

Active Directory-based Activation (ADbA) is available since Windows Server 2012 as a replacement for Microsoft’s Key Management Services (KMS).

Note:
If your organization doesn’t use Active Directory-based Activation, yet, now is a good time to implement it.

You can download the product keys for your organization from the Volume Licensing Service Center (VLSC). Enter the product keys to automatically activate Windows 10 when it comes into scope of your Windows activation method.

Remote Server Administration Tools

In previous Windows 10 version, the Remote Server Administration Tools (RSAT) needed to be downloaded manually to allow admins to manage Windows Server features from these devices.  However, since Windows 10, version 1809, the RSAT are included as Features on Demand in Windows 10 itself.

Do not download an RSAT package from this page. Instead, perform the following steps on a device running Windows 10, version 21H1:

  • Open the Settings app.
  • Go to Manage optional features.
  • Click Add a feature.
    You now see the list of available RSAT tools.
  • Select and install the specific RSAT tools you need.
0  

On-premises Identity-related updates and fixes for May 2021

Even though Microsoft’s Identity focus moves towards the cloud, they are not forgetting their on-premises roots. Windows Server 2016 and Windows Server 2019 still receive updates.

These are the Identity-related updates and fixes we saw for May 2021:

Windows Server 2016

We observed the following updates for Windows Server 2016:

KB5003197, May 11, 2021

The May 11, 2021 update for Windows Server 2016 (KB5003197), updating the OS build number to 14393.4402 is a security update that includes quality improvements.

This update addresses vulnerabilities in Hyper-V, SMB, SSDP, and the Wallet Service. None of the vulnerabilities are Identity-related.

This update contains quality improvements, but none are Identity-related.

Windows Server 2019

We observed the following updates for Windows Server 2019:

KB5003171, May 11, 2021

The May 11, 2021 update for Windows Server 2019 (KB5003171), updating the OS build number to 17763.1935 is a security update that includes quality improvements.

This update addresses vulnerabilities in Hyper-V, SMB, SSDP, and the Wallet Service. Another vulnerability in kernel-mode IIS (http.sys) is addressed, but this vulnerability only applies to semi-annual channel releases beyond Windows Server 2019.

This update contains the quality improvements, that were part of the April 22, 2021 update for Windows Server 2019 (KB5001384):

  • It removes the Microsoft Edge Legacy desktop application that is out of support and installs the new Microsoft Edge.
  • It addresses an issue that fails to remove mandatory profiles completely when you sign out when using the “Delete cached copies of roaming profiles” Group Policy.
  • It addresses an issue that causes lsass.exe memory usage to grow until the system becomes unusable. This occurs when Transport Layer Security (TLS) resumes a session.
  • It addresses an issue that causes automatic enrollment and certificate retrieval to fail with the error, “The parameter is incorrect.”
  • It addresses an issue that fails to apply the false setting for the RequirePDC flag in Active Directory Federation Services (AD FS).

KB5003217, May 20, 2021 Preview

The May 20, 2021 update for Windows Server 2019 (KB5003217), updating the OS build number to 17763.1971 is a Preview update that includes quality improvements:

It addresses an issue in Active Directory (AD) Admin Center that displays an error when it lists many organizational units (OU) or container objects and PowerShell Transcription is enabled. The error message is, "Collection was modified after the enumerator was instantiated".

  • It addresses a memory leak issue in PKU2U that causes cluster nodes to run out of memory.
  • It addresses an issue that fails to apply BitLocker encryption automatically using a Group Policy. This issue occurs on external drives that have a master boot record (MBR) active boot partition.
  • It addresses an issue that sometimes causes event log entries to appear corrupted for Microsoft-Windows-Kerberos-Key-Distribution-Center source and Event IDs 4933, 4928, and 4937.
  • It addresses an issue that fails to register a DNS update to an A record and a PTR when Azure virtual machines update against corporate DNS zones.

The quality improvements are automatically part of the next cumulative update, released on June 8, 2021, unless these improvements appear non-functional in the meantime.

0  

HOWTO: Create a Group Policy Central Store

The Group Policy Central Store in Active Directory’s System Volume (SYSVOL) share optimizes Group Policy authoring and replication.

The group policy central store is a central location to store all the Group Policy template (*.admx) and Group Policy Language (*.adml) files. The Central Store eliminates the loading and opening of Group Policy template files on systems used to manage Group Policy. It allows for centralized authoring and versioning of Group Policy template and language files.

In this blogpost I’ll show you how to configure the Group Policy Central Store, that is part of Active Directory since Windows Server 2008.

 

Creating the Group Policy Central Store

Perform these steps to create a Group Policy Central Store:

 

Getting ready

Implement or locate a default Windows client device with Microsoft Office and any other software that supports Group Policy management. Install language packs for the languages used by admins in your organization. Update this system with the latest available updates, or download Group Policy templates and language files from Microsoft.

 

How to do it

To create the Group Policy Central Store, log into a Domain Controller (a non-Read-only Domain Controller) or access Active Directory’s System Volume (SYSVOL) over the network with an account that is a member of the Domain Admins group.

Perform these steps:

  • Log on to the default Windows client device for your organization.
  • Open File Explorer.
  • Navigate to the Windows System location, typically C:\Windows.
  • Locate the PolicyDefinitions folder.
  • Right-click the PolicyDefinitions folder and select Copy from the menu.
  • Navigate the current File Explorer window to Active Directory’s System Volume (SYSVOL), for instance \\lucernpub.com\SYSVOL\lucernpub.com.
  • In the System Volume, navigate to the Policies folder.
  • Right-click an empty space and select Paste from the menu.
  • Navigate to the C:\Program Files (x86)\Microsoft Group Policy folder, if it exists.
  • Copy the PolicyDefinitions folder in the latest version folder and paste it in the same location as step 8.

 

How it works

Before, Group Policy templates were stored as *.adm files.

Since Windows Server 2008 and Windows Vista, Group Policy settings in the Administrative Templates parts of Group Policy objects (GPOs) are represented on the filesystem by *.admx files and *.adml files. The first type of files defines the settings. The latter type of files provides language-dependent labels, so administrators using different languages can work together seamlessly.

Beyond the language benefit, the new filetypes also allow for a Central Store to store all Group Policy settings and settings languages in Active Directory’s System Volume (SYSVOL). This way, files for configured settings no longer have to be stored with individual GPOs, but only once. This optimizes Group Policy replication between Domain Controllers significantly.

 

There’s more

Creating the Group Policy Central Store requires a process that is revisited when new versions of software are introduced in the organization. Overwrite the *.adml and *.admx files with the newer versions.

2  

What's New in Azure Active Directory for May 2021

Azure Active Directory

Azure Active Directory is Microsoft's Identity Management-as-a-Service solution, offering seamless access, easy collaboration, efficiency in IT processes and improved security and compliance. In its Release Notes for Azure Active Directory, Microsoft communicated the following planned, new and changed functionality for Azure Active Directory for May 2021:

What’s New

Azure AD verifiable credentials Public Preview

Service category: Other
Product capability: User Authentication

Organizations using Azure AD can now easily design and issue verifiable credentials to represent proof of employment, education, or any other claim while respecting privacy.

build and test expressions for user provisioning Public Preview

Service category: App Provisioning
Product capability: Identity Lifecycle Management

When an admin configures provisioning to a SaaS application, one of the types of attribute mappings that can be specified is an expression mapping. For these, a script-like expression must be written that allows transformation of users' data into formats that are more acceptable for the SaaS application.

The expression builder allows admins to create and test expressions, without having to wait for the full sync cycle.

Enhanced audit logs for Conditional Access policy changes Public Preview

Service category: Conditional Access
Product capability: Identity Security & Protection

An important aspect of managing Conditional Access is understanding changes to policies over time. Policy changes may cause disruptions for end users, so maintaining a log of changes and enabling admins to revert to previous policy versions is critical.

In addition to showing who made a policy change and when, the audit logs will now also contain a modified properties value so that admins have greater visibility into what assignments, conditions, or controls changed. To revert to a previous version of a policy, admins can copy the JSON representation of the old version and use the Conditional Access APIs to quickly change the policy back to its previous state.

Sign-in logs include authentication methods used during sign-in Public Preview

Service category: Multi-factor Authentication (MFA)
Product capability: Monitoring & Reporting

Admins can now see the sequential steps users took to sign-in, including which authentication methods were used during sign-in.

To access these details, admins can select a sign-in from the Azure AD sign-in logs and then navigate to the Authentication Method Details tab. Here, information in included such as which method was used, details about the method (e.g. phone number, phone name), authentication requirement satisfied, and result details.

PIM adds support for ABAC conditions in Azure Storage roles Public Preview

Service category: Privileged Identity Management (PIM)
Product capability: Privileged Identity Management (PIM)

Along with the public preview of attributed-based access control (ABAC) for specific Azure role-based access control (RBAC) roles, admins can also add ABAC conditions inside Privileged Identity Management (PIM) for eligible assignments.

Conditional Access and Identity Protection Reports in B2C Generally Available

Service category: Consumer Identity Management
Product capability: Azure AD B2B/B2C

Azure AD now supports Conditional Access and Identity Protection for business-to-consumer (B2C) apps and users. This enables organizations to protect their users’ sign-ins with granular risk- and location-based access controls. With these features, organizations can now look at the signals and create a policy to provide more security and access to their customers.

Next generation Azure AD B2C user flows Generally Available

Service category: Consumer Identity Management
Product capability: Azure AD B2B/B2C

The new simplified user flow experience in Azure AD B2C offers feature parity with preview features and is the home for all new features. Organizations will be able to enable new features within the same user flow, reducing the need to create multiple versions with every new feature release. The new, user-friendly UX also simplifies the selection and creation of user flows.

KMSI and Password reset now in next generation of user flows Generally Available

Service category: Consumer Identity Management
Product capability: Azure AD B2B/B2C

The next generation of B2C user flows now supports keep me signed in (KMSI) and password reset. The KMSI functionality allows customers to extend the session lifetime for the users of their web and native applications by using a persistent cookie. This feature keeps the session active even when the user closes and reopens the browser, and is revoked when the user signs out. Password reset allows users to reset their password from the Forgot your password link. This also allows the admin to force reset the user's expired password in the Azure AD B2C directory.

New Log Analytics workbook: Application role assignment activity Generally Available

Service category: User Access Management
Product capability: Entitlement Management

A new workbook has been added for surfacing audit events for application role assignment changes.

Azure Active Directory threat intelligence for sign-in risk Generally Available

Service category: Identity Protection
Product capability: Identity Security & Protection

This new detection serves as an ad-hoc method to allow Microsoft’s security teams to notify organizations and protect their users by raising their session risk to a High risk when Microsoft observes an attack happening, as well as marking the associated sign-ins as risky. This detection follows the existing Azure Active Directory threat intelligence for user risk detection to provide complete coverage of the various attacks observed by Microsoft security teams.

Conditional Access named locations improvements Generally Available

Service category: Conditional Access
Product capability: Identity Security & Protection

Updates to Conditional Access named locations include:

  • Added the capability to define IPv6 address ranges
  • Increased the limit of named locations from 90 to 195
  • Increased the limit of IP ranges per named location from 1200 to 2000
  • Added capabilities to search and sort named locations and filter by location type and trust type
  • Added named locations a sign-in belonged to in the sign-in logs

Additionally, to prevent admins from defining problematic named locations, additional checks have been added to reduce the chance of misconfiguration.

Restricted guest access permissions in Azure AD Generally Available

Service category: User Management
Product capability: Directory

Directory level permissions for guest users have been updated. These permissions allow admins to require additional restrictions and controls on external guest user access.

Admins can now add additional restrictions for external guests' access to user and groups' profile and membership information. Also, organizations can manage external user access at scale by hiding group memberships, including restricting guest users from seeing memberships of the group(s) they are in.

NEW PROVISIONING CONNECTORS IN THE AZURE AD APPLICATION GALLERY

Service category: App Provisioning
Product capability: 3rd Party Integration

Organizations can now automate creating, updating, and deleting user accounts for these newly integrated apps:

New Federated Apps available in the Azure AD Application gallery

Service category: Enterprise Apps
Product capability: 3rd Party Integration

In May 2021 Microsoft has added the following 29 new applications in the Azure AD App gallery with Federation support:

  1. InviteDesk
  2. Webrecruit ATS
  3. Workshop
  4. Gravity Sketch
  5. JustLogin
  6. Custellence
  7. WEVO
  8. AppTec360 MDM
  9. Filemail 
  10. Ardoq
  11. Leadfamly
  12. Documo
  13. Autodesk SSO
  14. Check Point Harmony Connect
  15. BrightHire
  16. Rescana
  17. Bluewhale
  18. AlacrityLaw
  19. Equisolve
  20. Zip
  21. Cognician
  22. Acra
  23. VaultMe
  24. TAP App Security
  25. Cavelo Office365 Cloud Connector
  26. Clebex
  27. Banyan Command Center
  28. Check Point Remote Access VPN
  29. LogMeIn

What’s Changed

Improved Conditional Access Messaging for Android, iOS and iPadOS

Service category: Device Registration and Management
Product capability: End User Experiences

Microsoft has updated the wording on the Conditional Access screen shown to users when they are blocked from accessing corporate resources until they enroll their device in Mobile Device Management. These improvements apply to the Android and iOS/iPadOS platforms. The following have been changed:

  • Help us keep your device secure has changed to Set up your device to get access.
  • Your sign-in was successful but your admin requires your device to be managed by Microsoft to access this resource. has changed to [Organization’s name] requires you to secure this device before you can access [organization’s name] email, files, and data..
  • Enroll Now has changed to Continue.

Azure Information Protection service will begin asking for consent

Service category: Authentications (Logins)
Product capability: User Authentication

The Azure Information Protection service signs users into the tenant that encrypted the document as part of providing access to the document. Starting June 2021, Azure AD will begin prompting the user for consent when this access is performed across organizations. This ensures that the person understands that the organization which owns the document will collect some information about the person as part of the document access.

Provisioning logs schema change impacting Graph API and Azure Monitor integration

The attributes Action and statusInfo will be changed to provisioningAction and provisoiningStatusInfo. Please update any scripts that you have created using the provisioning logs Graph API or Azure Monitor integrations.

New ARM API to manage PIM for Azure Resources and Azure AD roles

Service category: Privileged Identity Management (PIM)
Product capability: Privileged Identity Management (PIM)

An updated version of Privileged Identity Management (PIM)'s application programming interface (API) for Azure Resource roles and Azure AD roles has been released. The PIM API for Azure Resource roles is now released under the ARM API standard, which aligns with the role management API for regular Azure role assignment. On the other hand, the PIM API for Azure AD roles is also released under the Graph API, aligned with the unifiedRoleManagement APIs.

Some of the benefit of this change include:

  • Alignment of the PIM API with objects in ARM and Graph for role management.
  • Reducing the need to call PIM to onboard new Azure resources.
  • All Azure resources automatically work with new PIM API.
  • Reducing the need to call PIM for role definition or keeping a PIM resource ID
  • Supporting app-only API permissions in PIM for both Azure AD and Azure Resource roles

Previous version of PIM's API under /privilegedaccess will continue to function but we recommend you to move to this new API going forward.

Revision of roles in Azure AD entitlement management

Service category: Roles
Product capability: Entitlement Management

A new role Identity Governance Administrator has recently been introduced.

This role will be the replacement for the User Administrator role in managing catalogs and access packages in Azure AD entitlement management. User with the User Administrator role assigned or are eligible to activate this role to manage access packages in Azure AD entitlement management, the Identity Governance Administrator role now provides this functionality with the least administrative privilege. The User Administrator role will no longer be providing administrative rights to catalogs or access packages.

0  

A Recap of Identity-related Announcements from Microsoft Build 2021

Another Microsoft Build event comes to a close. Microsoft organized Microsoft Build as a free digital event between Tuesday May 25th 5 PM CEST and Thursday May 27th 5 PM CEST.

Microsoft Build is Microsoft’s annual conference event, aimed at software engineers and web developers using Windows, Microsoft Azure and other Microsoft technologies. First held in 2011, it serves as a successor for Microsoft's previous developer events, the Professional Developers Conference (PDC) and MIX.

During Build 2021, Microsoft made the following Identity-related announcements:

Continuous Access Evaluation in Microsoft Graph Public Preview

Continuous Access Evaluation (CAE), an authentication feature in Azure Active Directory (Azure AD), is now in Microsoft Graph in preview. Developers can update and test apps that use Microsoft Graph APIs to make their apps more secure. Using Microsoft Graph APIs with CAE support, apps are more resilient due to the optimizations for token lifetime and token refresh.

Instead of waiting for the access token expiration, commonly set at 60 minutes, CAE in Azure AD reevaluates active user sessions in real time and can revoke access to protected resources in response to events such as device loss, user password changes or disabling of the user’s account. CAE can also be used to stop a user from accessing secured resources when they change location.

Azure AD Access Reviews for Service Principals

In Azure AD, a service principal is typically created for an app or code that needs to access or modify resources that can only be facilitated through an identity with the necessary permissions. As organizations move more apps to the cloud and procure third-party software as a service (SaaS) apps, these service principals are assigned privileged roles, which often go ungoverned.

Now, with Azure AD Access Reviews and Privileged Identity Management (PIM), organizations can periodically review the assignments of privileged roles to service principals in the tenant.

This way, Azure AD Access Reviews enable periodic reviews of service principals and apps assigned to directory roles, as well as roles in Azure subscriptions. This capability helps organizations ensure that their services and apps, just like their employees, are abiding by established least-privilege policies, helping reduce the damage caused by an attack.

Azure Cosmos DB role-based access control (RBAC) Generally Available

Azure Cosmos DB RBAC with Azure AD integration for the Core (SQL) API enables organizations to have enhanced control over data security.

Account administrators can set up clearly defined rules about what each identity is able to do within the database, and then apply the roles to Azure AD profiles to determine access level. For example, an IoT device could enter data, but it would not have the ability to read, change or update data.

Microsoft Identity App Sync Public Preview

Microsoft Identity App Sync, a new command line tool in Visual Studio 2019.10, simplifies the developer experience for registering and configuring ASP.NET Core apps.

Using Identity App Sync, developers can register an app and have code changes made locally with only a few commands. The tool can also be used to update code from an existing Azure AD or Azure AD Business to Consumer (B2C) app.

0  

VMSA-2021-0010 updates for vCenter Server addresses two security vulnerabilities (CVE-2021-21985, CVE-2021-21986)

Today, VMware released an update that addresses two vulnerabilities in its vCenter Server and Cloud Foundation products::

  • A remote code execution vulnerability in the vSphere Client  (CVE-2021-21985)
  • Authentication mechanism issue in vCenter Server Plug-ins (CVE-2021-21986)

About the vulnerabilities

remote code execution vulnerability in the vSphere Client (CVE-2021-21985)

The vSphere Client (HTML5) contains a remote code execution vulnerability due to lack of input validation in the Virtual SAN Health Check plug-in which is enabled by default in vCenter Server. VMware has evaluated the severity of this issue to be in the Critical severity range with a maximum CVSSv3 base score of 9.8.

A malicious actor with network access to port 443 may exploit this issue to execute commands with unrestricted privileges on the underlying operating system that hosts vCenter Server.

Authentication mechanism issue in vCenter Server Plug-ins (CVE-2021-21986)

The vSphere Client (HTML5) contains a vulnerability in a vSphere authentication mechanism for the Virtual SAN Health Check, Site Recovery, vSphere Lifecycle Manager, and VMware Cloud Director Availability plug-ins. VMware has evaluated the severity of this issue to be in the Moderate severity range with a maximum CVSSv3 base score of 6.5.

A malicious actor with network access to port 443 on vCenter Server may perform actions allowed by the impacted plug-ins without authentication.

How to fix the situation

VMware has released new versions of its vCenter Server and Cloud Foundation products. These versions address the vulnerabilities:

  1. vCenter Server 7.0 U2b
  2. vCenter Server 6.7 U3n
  3. vCenter Server 6.5 U3p
  4. Cloud Foundation (vCenter Server) 4.2.1
  5. Cloud Foundation (vCenter Server) 3.10.2.1

Alternatively, VMware KnowledgeBase article 83829 provides a workaround for admins who can’t install the updates just yet. They can remediate the solution by disabling VMware Plugins in vCenter Server.

Concluding

Please install the updates for the version(s) of ESXi, vCenter Server and/or Cloud Foundation in use within your organization, as mentioned above and in the advisory for VMSA-2021-0010.

0  

Windows 10, version 21H1 build 19043 introduces Ten new Group Policy settings

Windows 10

On May 18th, 2021, Microsoft released Windows 10, version 21H1 build 19043. This Windows version introduces ten new Group Policy settings.

New Group Policy Settings

Windows 10, version 21H1, build 19043 introduces the following new Group Policy settings:

Enable news and interests on the taskbar

This computer Group Policy setting specifies whether news and interests are shown on the taskbar.

This Group Policy setting can be found under Computer Configuration, Administrative Templates, Windows Components, News and interests.

Remove the Meet Now icon

This Group Policy setting allows admins to remove the Meet Now icon from the system control area. If an admin enables this Group Policy setting for a user in scope, the Meet Now icon is not displayed in the system notification area.

If an admin disables or does not configure this Group Policy setting, the Meet Now icon is displayed in the system notification area.

This Group Policy setting can be found under User Configuration, Administrative Templates, Start Menu and Taskbar.

Disable safeguards for Feature Updates

An admin can enable this Group Policy setting when Feature Updates should be deployed to devices without blocking on any safeguard holds. Safeguard holds are known compatibility issues that block the upgrade from being deployed to affected devices until the issue is resolved. 

Enabling this Group Policy setting allows an organization to deploy Windows Feature Updates to devices for testing, or to deploy Feature Updates without blocking on safeguard holds.

This Group Policy setting can be found under Computer Configuration, Administrative Templates, Windows Components, Windows Update and Windows Update for Business.

Allow "Save Target As" in Internet Explorer mode

This Group Policy setting allows admins to enable the Save Target As context menu in Internet Explorer mode.

If an admin enables this Group Policy setting for either a device or a user in scope, Save Target As will show up in the Internet Explorer mode context menu and work the same as Internet Explorer. If an admin disables or does not configure this Group Policy setting, Save Target As will not show up in the Internet Explorer mode context menu. More information.

This Group Policy setting can be found under Administrative Templates, Windows Components, Internet Explorer. under both Computer Configuration and User Configuration,

Enable extended hot keys in Internet Explorer mode

This Group Policy setting lets admins enable extended Microsoft Edge Internet Explorer mode hotkeys, such as Ctrl+S to have Save as functionality.

If an admin enables this Group Policy setting for either a device or a user in scope, extended hotkey functionality is enabled in Internet Explorer mode and work the same as Internet Explorer. If an admin disables, or doesn't configure this Group Policy setting, extended hotkeys will not work in Internet Explorer mode. More information.

This Group Policy setting can be found under Administrative Templates, Windows Components, Internet Explorer. under both Computer Configuration and User Configuration,

Disable Internet Explorer 11 as a standalone browser

This Group Policy setting lets admins restrict launching of Internet Explorer as a standalone browser.

If an admin enables this Group Policy setting for either a device or a user in scope, it:

  • Prevents Internet Explorer 11 from launching as a standalone browser.
  • Restricts Internet Explorer's usage to Microsoft Edge's native 'Internet Explorer mode'.
  • Redirects all attempts at launching Internet Explorer 11 to Microsoft Edge Stable Channel browser.
  • Overrides any other policies that redirect to Internet Explorer 11.

If an admin disables, or doesn’t configure this Group Policy setting, all sites are opened using the current active browser settings.

Note:
Microsoft Edge Stable Channel must be installed for this policy to take effect.

This Group Policy setting can be found under Administrative Templates, Windows Components, Internet Explorer. under both Computer Configuration and User Configuration,

Suppress the display of Edge Deprecation Notification

Admins can configure Microsoft Edge to suppress the display of the notification that informs users that support of the ‘Spartan’ version of Microsoft Edge ended on March 9th, 2021.

If an admin enables this Group Policy setting for either a device or a user in scope, the notification will not show. If disabled or not configured, the notification will show every time the Edge ‘Spartan’ browser is launched.

This Group Policy setting can be found under Administrative Templates, Windows Components, Microsoft Edge. under both Computer Configuration and User Configuration,

Select OCR language

This Group Policy setting allows selection of Optical Character Recognition (OCR) language.

If an admin enables this Group Policy setting for a device in scope, the selected OCR language is used in OCR processing during the indexing of TIFF files. If an admin disables or doesn’t configure this Group Policy setting, the default system language is used.

Note:
Re-indexing is not initiated when you enable this policy and select the OCR language. This policy setting only applies to indexing of new files, unless re-indexing is initiated manually.

This Group Policy setting can be found under Computer Configuration, Administrative Templates, Search, OCR.

Select OCR language from a code page

This Group Policy setting allows selecting of OCR (Optical Character Recognition) languages that belong to one of the supported code pages.

If an admin enables this Group Policy setting for a device in scope, the selected OCR languages are used in OCR processing during the indexing of TIFF files. The default system language is ignored unless it is among the selected OCR languages. If an admin disables or doesn’t configure this Group Policy setting, only the default system language is used.

Note:
All selected OCR languages must belong to the same code page. If languages from more than one code page are selected, the entire OCR language selection is ignored and only the default system language is used.

Note:
Re-indexing is not initiated when you enable this policy and select the OCR language. This policy setting only applies to indexing of new files, unless re-indexing is initiated manually.

This Group Policy setting can be found under Computer Configuration, Administrative Templates, Search, OCR.

Force TIFF IFilter to perform OCR for every page in a TIFF document

This Group Policy setting lets admins turn off the performance optimization on a device in scope, so that the TIFF IFilter will perform OCR for every page in a TIFF document, which allows indexing of all recognized text.

By default, the TIFF IFilter optimizes its performance by skipping Optical Character Recognition (OCR) for document pages that have non-textual content. In some cases, pages that contain text can be misclassified as non-text pages. If this is the case, the text in these pages will not be indexed.

If an admin enables this Group Policy setting on a device in scope, TIFF IFilter will perform OCR for every page in a TIFF document to index all recognized text. Therefore, the OCR process will be slower. This decrease in performance can be significant if there are lots of non-textual pages (pictures) in TIFF documents on the system.

If an admin disables or doesn’t configure this Group Policy setting, TIFF IFilter will optimize its performance by skipping non-textual content during the OCR process.

This Group Policy setting can be found under Computer Configuration, Administrative Templates, Search, OCR.

0