Critical DNS Server Heap Overflow Vulnerability could allow Remote Code Execution (Critical, CVE-2018-8626)

Critical

This week, for its December 11th 2018 Patch Tuesday, Microsoft released a security update for supported versions of Windows Server acting as DNS Servers. As many Domain Controllers are installed and configured as such, this is a serious vulnerability.

The update addresses the vulnerability by modifying how Windows DNS servers handle requests.

        

About the vulnerability

A remote code execution vulnerability exists in Windows Domain Name System (DNS) servers, when they fail to properly handle requests. An attacker who successfully exploited the vulnerability could run arbitrary code in the context of the Local System Account. Windows Server installations that are configured as DNS servers are at risk from this vulnerability.

To exploit the vulnerability, an unauthenticated attacker could send malicious requests to a Windows DNS server.

The vulnerability was reported by Mitch Adair from the Microsoft Windows Enterprise Security Team. It is catalogued as CVE-2018-8626 and rated Critical.

Affected Operating Systems

Windows versions and Windows Server versions beyond Windows Server 2012 R2 are affected. Both Full installations and Server Core installations are affected.

Mitigations

Microsoft has not identified any mitigating factors for this vulnerability.

Workarounds

Microsoft has not identified any workarounds for this vulnerability.

        

About the update

The update addresses the vulnerability by modifying how Windows DNS servers handle requests.

To apply the update, install the following update per Windows and/or Windows Server version:

Windows Server 2012 R2 KB4471320 or KB4471322
Windows Server 2016

KB4471321
Windows Server 2019 KB4471332
Windows Server, version 1709 KB4471329
Windows Server, version 1803 KB4471324

         

Known issues

Microsoft is not currently aware of any issues with this update.

   

Call to Action

I urge you to install the necessary security updates on Windows Server installations, running as (Active Directory Domain Controllers and) DNS servers, in a test environment as soon as possible, assess the risk and possible impact on your production environment and then, roll out this update to Windows Server installations, running as (Active Directory Domain Controllers and) DNS Servers, in the production environment.

Further reading

Zero Day Initiative – The December 2018 Security Update Review 
NIST – CVE-2018-8626 Detail 
Microsoft Windows DNS Server CVE-2018-8626 Heap Buffer Overflow Vulnerability 
It’s December of 2018 and, to hell with it, just patch your stuff  
Dec 2018 Patch Tuesday: Microsoft patches Windows zero-day exploited in the wild

0  

Azure AD Connect v1.2.69.0 fixes an issue with Device Write-Back

Azure AD Connect

Late last week, Microsoft released a new version of Azure AD Connect, its free Hybrid Identity bridge product to synchronize objects and their attributes from on-premises Active Directory Domain Services (AD DS) environments and LDAP v3-compatible directories to Azure Active Directory.

    

What’s Fixed

There is only one fix in version 1.2.69.0.

This hotfix build allows an admin to select a target domain, within the specified forest, for the RegisteredDevices container when enabling device write-back.

In the previous versions that contain the new Device Options functionality (versions 1.1.819.0 through 1.2.68.0), the RegisteredDevices container location was limited to the forest root and did not allow child domains. This limitation only manifested itself on new deployments; in-place upgrades were unaffected.

If any build containing the updated Device Options functionality was deployed to a new server and device write-back was enabled, you will need to manually specify the location of the container if you do not want it in the forest root. To do this, you need to disable device write-back and re-enable it which will allow you to specify the container location on the Writeback forest page.

This release is only distributed to organizations using Azure AD Connect for manual download.

    

Version information

This is version 1.2.69.0 of Azure AD Connect.
It was signed off on on November 19th, 2018 and made available for download on December 11th, 2018

    

Download

You can download Azure AD Connect here.
The download weighs 83,5 MB.

0  

What’s New in Azure Active Directory for November 2018

Azure Active Directory

Azure Active Directory is Microsoft’s Identity Management-as-a-Service solution, offering seamless access, easy collaboration, efficiency in IT processes and improved security and compliance. In its Release Notes for Azure Active Directory, Microsoft communicated the following new and changed functionality for Azure Active Directory for November 2018:

    

What’s New

Azure AD Cloud Device Administrator role (Public preview)

Service category: Device Registration and Management
Product capability: Access control

Administrators can assign users to the new Cloud Device Administrator role to perform cloud device administrator tasks. Users assigned the Cloud Device Administrators role can enable, disable, and delete devices in Azure AD, along with being able to read Windows 10 BitLocker keys (if present) in the Azure portal.

     

Manage devices using the new activity timestamp in Azure AD (Public preview)

Service category: Device Registration and Management
Product capability: Device Lifecycle Management

The Azure AD team realizes that over time administrators must refresh and retire their organizations’ devices in Azure AD to avoid having stale devices hanging around in the environment. To help with this process, Azure AD now updates your devices with a new activity timestamp, the approximateLastLogonTimestamp, helping you to manage your device lifecycle.

     

New Azure AD Privileged Identity Management (PIM) emails for Azure Active Directory roles

Service category: Privileged Identity Management
Product capability: Privileged Identity Management

Organizations using Azure AD Privileged Identity Management (PIM) can now receive a weekly digest email, including the following information for the last seven days:

  • Overview of the top eligible and permanent role assignments
  • Number of users activating roles
  • Number of users assigned to roles in PIM
  • Number of users assigned to roles outside of PIM
  • Number of users made permanent in PIM

       

New Federated Apps available in Azure AD app gallery

Service category: Enterprise Apps
Product capability: 3rd Party Integration

In November 2018, the Azure AD team added these 26 new apps with Federation support to the app gallery:

  1. CoreStack
  2. HubSpot
  3. GetThere
  4. Gra-Pe
  5. eHour
  6. Consent2Go
  7. Appinux
  8. DriveDollar
  9. Useall
  10. Infinite Campus
  11. Alaya
  12. HeyBuddy
  13. Wrike SAML
  14. Drift
  15. Zenegy for Business Central 365
  16. Everbridge Member Portal
  17. IDEO
  18. Ivanti Service Manager (ISM)
  19. Peakon
  20. Allbound SSO
  21. Plex Apps – Classic Test
  22. Plex Apps – Classic
  23. Plex Apps – UX Test
  24. Plex Apps – UX
  25. Plex Apps – IAM
  26. CRAFTS – Childcare Records, Attendance, & Financial Tracking System

  

What’s Changed

Group-based licensing is now Generally Available (GA)

Service category: Other
Product capability: Directory

Group-based licensing left public preview and is now generally available (GA). As part of this general release, the team has made this feature more scalable and has added the ability to reprocess group-based licensing assignments for a single user and the ability to use group-based licensing with Office 365 E3/A3 licenses.

0  

Pictures of the 2018 European SharePoint, Azure and Office 365 Conference

Bella Center (Picture by ESPC Organization)

Last week, I was scheduled for a 60-minute session on Europe’s General Data Protection Regulation (GDPR) at the 2018 European SharePoint, Azure and Office 365 Conference in Copenhagen, Denmark.

Unfortunately, I wasn’t able to attend the entire conference, but instead scheduled to fly in on Wednesday morning, attend the conference, attend the party and then fly back to the Netherlands on Thursday morning.

With only 65 minutes of flight time, the flight from Amsterdam (AMS) to Copenhagen (CPH) is a short flight, so I elongated my time with KLM in their lounge. After landing at Copenhagen Airport, I took a cab to Bella Center. I prepared my session and spent some time at the Ask the Experts booth for Azure AD with Peter Schmidt.

The KLM Crown Lounge at Amsterdam Schiphol Airport (click for larger picture)My ESPC 18 badge and party invitation (click for larger photo)The Expo at the European SharePoint Azure and Office 365 Conference (click for larger photo)Ask The Experts (click for larger photo)

At 2 PM, I started my break-out session on Europe’s General Data Protection Regulation (GDPR) in room 9. It was packed! The main points of this presentation were that the Compliance Manager can help assess GDPR compliancy, and that Azure AD Identity Protection, Conditional Access, Information Protection and Advanced Threat Protection can work together to create a more secure environment, towards GDPR-compliancy.

The audience at my GDPR session (no consent asked, so only a picture of the backs of heads, obviously) (click for larger photo)

After the presentation, I headed out with Peter Schmidt. We walked to the picturesque Nyhavn, Amalienborg, Maersk’s headquarters, den lille havfrue (the little mermaid) and Copenhagen’s kastellet. before heading towards Wallmans Cirkusbygningen for the ESPC Party.

Den Lille Havfrue (click for larger photo)
Nyhavn (click for larger photo)ESPC Party at Wallmans Cirkusbygningen (click for larger photo by the ESPC Organization)

At around 11 PM we headed back to the Bella Center hotel. At 4:30 AM, a cab picked me up at the front door to deliver me at Copenhagen’s airport (CPH), in time for my 6 AM flight.

I arrived at the office around 8:30 AM for a normal day of work.

    

Thank you! Thumbs up

Thank your for inviting me as a SharePoint, Azure and Office 365 Conference speaker, and to all the people attending, sitting in on my session and, of course, the people who stuck around after these sessions for the interesting discussions. And Peter, thank you for showing me around in the capitol of your beautiful country.

0  

Azure AD Connect v1.2.68.0 fixes an issue with the MSOnline PowerShell Module

Azure AD Connect

Late last week, Microsoft released a new version of Azure AD Connect, its free Hybrid Identity bridge product to synchronize objects and their attributes from on-premises Active Directory Domain Services (AD DS) environments and LDAP v3-compatible directories to Azure Active Directory.

 

What’s Fixed

There is only one fix in version 1.2.68.0.

This hotfix build fixes a conflict where an authentication error might occur due to the independent presence of the MSOnline PowerShell Gallery module on the synchronization server.

This hotfix addresses this issue.

This release is only distributed to organizations using Azure AD Connect for manual download.

 

Version information

This is version 1.2.68.0 of Azure AD Connect.
It was signed off on on November 19th, 2018 and made available for download on November 30th, 2018

 

Download

You can download Azure AD Connect here.
The download weighs 83,4 MB.

0  

Pictures of Office 365 and SharePoint Connect 2018 in Haarlem last week

After last week’s Heliview People-centric IT event in Rotterdam, I drove to Haarlem for the next event on my list: NC Communications’ Office 365 and SharePoint Connect.

Unfortunately, I was too late to pick up Mustafa Toroman and Sasa Kranjac from Amsterdam Airport, but we did arrive at the Amrâth Grand Hotel Frans Hals at around the same time.

We headed out for dinner. After asking for directions at the hotel reception and taking the scenic route, we ended up at Steakhouse Wilma & Albèrt’s, where we enjoyed a nice dinner with truly great steaks. We had a great discussions on tech, our respective home countries and, of course, the events we presented at.

Drinks in the Lobby (click for larger photo)

After dinner we ended up in the hotel lobby where we shared drinks with the rest of the speakers and organization.

The St. Bavo Kerk in Haarlem, early morning light (click for larger photo)

The next morning, I put my stuff in my car at the car park and headed for the venue, the Stadsschouwburg and Philharmonie Haarlem. In the speaker room (coincidentally the actual artist room at the venue), I picked a shirt and prepared my slides and demos.

The calm before the storm ;-) (click for larger photo)
mS-DS-ConcistencyGUID to the rescue! (click for larger photo by Ralph Eckhard)Azure AD Connect under the Hood (click for larger photo by Ralph Eckhard)

After the keynote, I presented a 60-minute session on Azure AD Connect. We discussed the way Azure AD Connect works, and how the attendees could leverage Hybrid Azure AD Join and carry out Active Directory restructuring and/or consolidation projects with the help of the mS-DS-ConsistencyGUID.

After the session, several people came up to me with questions, but as Waldek Mastykarz was about to start his session, we headed out to the lobby area to further discuss the challenges some organizations face with Azure AD Connect.

I stuck around for the SharePint drinks at the end of the day, but decided the speaker dinner was too much on my agenda. I wanted to go home again, so I started my journey home at around 7PM.

  

Thank you! Thumbs up

Thank your NC Communications, for inviting me as an Office 365 and SharePoint Connect speaker, and to all the people attending, sitting in on my session and, of course, the people who stuck around after these sessions for the interesting discussions.

0  

Creating a clean MyApps and Office Portal Experience

As we help organizations embrace Hybrid Identity, we often encounter politics or standards that dictate that we take baby steps.

I fully agree with taking the smallest steps possible, for it keeps roll-back steps small and useful, too. However, Azure Active Directory, currently, is not a cloud service you can enable without some default functionality.

When you synchronize an on-premises Active Directory Domain Services environment with Azure AD, you’re getting quite a lot of functionality, that you might not want people in the organization to see:

The default portal experience (click for original screenshot, taken from FireFox)

Most prominently, by default, the Office 365 Portal shows links to:

  • The Store App through the Add-In tile, underneath Apps and the Add-In tile in the Office 365 Waffle menu.
  • Download and install Office Professional Plus, through the Install Office button.

When we demo Hybrid Identity, we often create the cleanest possible MyApps and Office 365 Portal experience, showing that while we’ve created the identity bridge, no functionality is enabled on the other side:

 An empty portal experience (click for original screenshot, taken from FireFox)

Note:
One of the other tricks we pull is to customize the branding of the MyApps portal and the Office portal through Azure Active Directory. Although the portals are empty, at least people will feel right at home!

Let me show you how to do that:

 

Download your apps

Get rid of the Download your apps link:

  • Sign into the Admin Portal using an account with global admin / company admin privileges in the Azure Active Directory tenant. Perform multi-factor authentication and/or the steps to attain your privileges through Azure AD Privileged Identity Management (PIM) when this is required.
  • In the right pane, expand Settings.
  • Underneath Settings, click Services & add-ins.
  • In the main pane, from the list of services and add-ins, click on Office software download settings.
  • In the settings pane that appears on the right, make these two changes:

Switch off 'Software for PC and mobile devices' and 'Software for Mac' in the Office software download settings pane (click for larger screenshot)

  • Underneath Software for PC and mobile devices, select Off for All PC and mobile devices.
  • Underneath Software for Mac, select Off for All apps for Mac.
  • Click Save.
  • Sign out, when done.

 

Store

Get rid of the Store link:

  • Sign into the Admin Portal using an account with global admin / company admin privileges in the Azure Active Directory tenant. Perform multi-factor authentication and/or the steps to attain your privileges through Azure AD Privileged Identity Management (PIM) when this is required.
  • In the right pane, expand Settings.
  • Underneath Settings, click Services &
    add-ins
    .
  • In the main pane, from the list of services and add-ins, click on User owned Apps and Services.

Switch off 'Let people in your organization go to the Office Store' in the User owned Apps and Services pane (click for larger screenshot)

  • In the settings pane that appears on the right, select
    Off for Let people in your organization go to the Office Store.
  • Click Save.
  • Sign out, when done.

     

Concluding

In large organizations and multinationals, every change is often a journey. Start your Hybrid Identity cloud journey with a plan. When you demo Hybrid Identity, make sure the MyApps and Office Portal experience is as clean as a whistle. Then, later on, add the functionality the organization asks for.

0  

Azure AD Connect v1.2.67.0 fixes an issue with Password Writeback

Azure AD Connect

Earlier this week, Microsoft released a new version of Azure AD Connect, its free Hybrid Identity bridge product to synchronize objects and their attributes from on-premises Active Directory Domain Services (AD DS) environments and LDAP v3-compatible directories to Azure Active Directory.

 

What’s Fixed

There is only one fix in version 1.2.67.0.

This hotfix build fixes a regression in the previous build where Password Writeback fails when using Azure AD Connect in an environment with Active Directory Domain Controllers running Windows Server 2008 or Windows Server 2008 R2.

This hotfix addresses this issue.

This release is only distributed to organizations using Azure AD Connect for manual download.

 

Version information

This is version 1.2.67.0 of Azure AD Connect.
It was signed off on on November 19th, 2018 and made available for download on November 20th, 2018

 

Download

You can download Azure AD Connect here.
The download weighs 83,6 MB

0  

Pictures of Heliview’s 2018 People-centric IT event

A week ago, we were present at Heliview’s 2018 People-centric IT event at Soccer club Feyenoord’s “De Kuip” Stadium in Rotterdam, the Netherlands.

As this was somewhat of a home game for us, we decided to make our mark at this event with our new corporate banner and new corporate clothing style.

SCCT Banner

We arrived at 7:30AM at the venue and starting setting up our new corporate banner. After 20 minutes, Carlo and I were done, wo we lit up “De Kuip” with our booth. As the stadium experienced an embarrassing light issue just two weeks ago during one of the soccer games, this got us a lot of attention from the attendees throughout the day.

Possible Solutions to the password problem (none truly apply)Possible Solutions to the password problem (none truly apply)

Just before lunch, I presented a 25-minute session, titled “Our three biggest challenges solved in under 25 minutes? Because cloud.” I showed Windows Hello for Business Security Keys, Azure Active Directory Identity Protection, Windows Defender Conditional Folder Access, Windows AutoPilot and Intune. As these are all cloud services and easily configurable settings in the base Operating System, we flew through the presentation and demos.

26 minutes after the start we were done, and configured with new up-to-date settings for password management, anti-ransomware and location-independent imaging.

After the session, we enjoyed some more conversations with customers and potential customers, to better understand their needs, their worries about GDPR and the legacy stuff that’s keeping them back. Our team has a lot of answers and offers help in many of these areas, so it was fun to talk about it.

  

I enjoyed Heliview’s People-centric IT event. Open-mouthed smile

Thanks to all the people attending, sitting in on my session and, of course, the people that took the time out of their busy schedule to talk to us. We felt we brought unique value to the event.

Hat tip

Carlo Shaeffer has made SCCT’s presence possible at Heliview’s 2018 People-centric IT event this year.

0  

Important issues in Windows Server 2019 build 10.0.17763.1 (Release Notes)

Windows Server

Today, Microsoft rereleased Windows Server 2019 build 10.0.17763.1 to Volume License customers and MSDN subscribers. Downloads from its Evaluation Center and Azure IaaS-based virtual machines running Windows Server 2019 are on the horizon.

The following four downloads of Windows Server 2019 are now available:

  1. Windows Server 2019 Essentials
  2. Windows Server 2019
  3. Windows Server 2019 Language Pack
  4. Windows Server 2019 Features on Demand

On this page you can view the critical issues, that have currently been identified, that might require avoidance or workaround to get Windows Server 2019 installed and running.

Below is the list with the current important issues for Windows Server 2019 version 10.0.17763.1, also known as the re-released General Availability (GA) version:

 

Localization issues

When running setup from German server media, on the operating system selection window titled, “Select the operating system you want to install,” the description for Desktop Experience installation options will have missing and incorrect characters at the very end of the sentence.

Customers using the Desktop Experience on Windows Server 2019 are currently unable to install language packs using the Settings app’s Language page. In order to add a new Windows display language, follow the procedure in KB4466511.

Language Packs for Windows Server 2019 and Windows Server, version 1809 are not currently available on Windows Update. Language Pack (LP) installation need to be performed from the Language Pack ISO and should only be installed against an image mounted offline using DISM command. If adding Language Packs to a running Windows Server with Desktop Experience, please refer to KB4466511.

 

Features on Demand

Features on Demand (FoD) for Windows Server 2019 and Windows Server, version 1809 are not currently available on Windows Update. Feature on Demand (FoD) installation should be performed from either a FoD ISO or the Windows Server installation ISO, and should only be installed against an image mounted offline using DISM command.

 

Drive Mapping

Mapped drives may fail to reconnect after starting and logging on. Symptoms include:

  • In File Explorer, a red “X” appears on the mapped network drives.
  • Mapped network drives show as “Unavailable when you run the net use command from a command prompt.
  • In the notification area, a notification displays, “Could not reconnect all network drives.”

See KB4471218 for workaround scripts to automatically reconnect a mapped network drive when you log on to the device.

 

Edge on systems with AMD Radeon HD2000 or HD4000 series video cards

Microsoft Edge tabs may stop working when a device is configured with AMD Radeon HD2000 or HD4000 series video cards. Customers may get the following error code:  “INVALID_POINTER_READ_c0000005_atidxx64.dll”.

Some users may also experience performance issues with the lock screen or the ShellExperienceHost. (The lock screen hosts widgets, and the ShellExperienceHost is responsible for assorted shell functionality).

Note:
AMD no longer supports Radeon HD2000 and HD4000 series graphic processor units (GPUs).

 

App Compatibility

iCloud for Windows

Apple has identified an incompatibility with iCloud for Windows (version 7.7.0.27) that may cause users to have issues updating or synching Shared Albums. To ensure a seamless experience, Microsoft is blocking devices with iCloud for Windows (version 7.7.0.27) software installed from being offered Window 10, version 1809, Windows Server 2019 and Windows Server, version 1809, until this issue has been resolved.

F5 VPN Client

F5 VPN clients may lose network connectivity when the VPN service is in a split tunnel configuration.

To mitigate this issue, you can manually configure your systems to force all traffic through the VPN tunnel. For details on how to do this, see the F5 customer support guidance page.

Trend Micro OfficeScan and Worry-Free

Microsoft and Trend Micro have identified a compatibility issue with Trend Micro’s OfficeScan and Worry-Free Business Security software.

To ensure a seamless update experience, Microsoft blocks installations running the affected business endpoint security products from being offered Windows 10, version 1809, Windows Server 2019 or Windows Server, version 1809, until a specific Trend Micro Critical Patch (CP) is applied.

 

Removed Features

The following features were present in previous versions of Windows Server, but are no longer available in Windows Server 2019:

  • Business Scanning, also known as Distributed Scan Management (DSM)
  • Internet Storage Name Service (iSNS)

 

Deprecated Features

Microsoft is no longer actively developing the features below and may remove them from a future update:

  • Key Storage Drive in Hyper-V
  • Trusted Platform Module (TPM) management console
  • Host Guardian Service Active Directory attestation mode
  • OneSync service
  • Remote Differential Compression API support
  • WFP lightweight filter switch extension
0