Some Domain Controllers may restart unexpectedly after applying the January 11, 2022 Updates

When installing updates, there is always the risk of rogue updates; updates that break functionality, unannounced, unexpected and unsettling. Microsoft is currently researching such a possible side-effect with the January 11, 2022 updates on Active Directory Domain Controllers.

About the issue

Domain Controllers may reboot unexpectedly and keep rebooting. Event ID 1000 is triggered right before these reboots citing that lsass.exe had failed with stop error 0xc0000005 (access violation), status code -1073741819 and pointing to msv1_0.dll as the culprit.

The Local Security Authority Subsystem Service (LSASS) is responsible for enforcing the security policy on the system. It verifies users signing in to a Windows or Windows Server, handles password changes, and creates access tokens. It also writes to the Windows Security Log. Forcible termination of lsass.exe will result in a restart of the Domain Controller. The restarts are the actual recovery process, not the problem.

Unconfirmed details and symptoms

At this time, there are a couple of unconfirmed details and symptoms about this issue:

  • Domain Controllers running Windows Server 2012 R2, Windows Server 2019 and Windows Server 2022 seem most affected.
  • Domain Controllers in environments with Exchange Servers seem most affected.
  • Read-only Domain Controllers seem unaffected.

About the updates

The following updates are available for Windows Server installations as part of the January 11, 2022 updates:

Workaround

Active Directory admins experiencing continually rebooting Domain Controllers share that they have stopped the reboots by disconnecting the network connection and uninstalling the January 11th, 2022 update from these systems. They rebooted the systems and after this reconnected the network connection.

When installing security updates only on Domain Controllers running Windows Server 2012 R2, uninstalling KB5009595 also seems sufficient.

To uninstall these updates, run the following command line:

Windows Server 2012 R2: wusa.exe /uninstall /kb:5009624

Windows Server 2019: wusa.exe /uninstall /kb:5009557

Windows Server 2022: wusa.exe /uninstall /kb:5009555

Concluding

I’m not a fan of not having critical updates installed, but in this case I feel it may be wise to wait 10 days before installing the January 11th, 2022 updates on Domain Controllers. My experience is that serious problems like the above problem are addressed within that timeframe.

Further reading

Microsoft pulls new Windows Server updates due to critical bugs
Windows Server: January 2022 security updates are causing DC boot loop 
January updates causing unexpected reboots on domain controllers : sysadmin

Posted on January 14, 2022 by Sander Berkouwer in Active Directory, Security Updates

10  

Going All-in with HornetSecurity 365 Total Protection

HornetSecurity Total Protection Enterprise Backup

Previously, I’ve shared my experiences with Altaro’s Office 365 Backup and Hornetsecurity’s 365 Threat Monitor. Both services add information security value on their own, but are also part of something bigger: HornetSecurity’s 365 Total Protection. 

Should you go all-in with HornetSecurity’s 365 Total Protection to face your Microsoft 365 challenges head-on?

The three flavours of 365 Total Protection

HornetSecurity offers its 365 Total Protection suite in three flavours:

  1. 365 Total Protection Business
  2. 365 Total Protection Enterprise
  3. 365 Total Protection Enterprise Backup

365 Total Protection Business offers everything an organization needs in terms of email security. It also offers individual and group email signatures.

365 Total Protection Enterprise includes all of the features of 365 Total Protection Business and adds advanced features like archiving, retention, eDiscovery and sandboxing.

365 Total Protection Enterprise is the all-in-one solution. It offers everything 365 Total Protection Enterprise offers, adds Office 365 Backup, and also adds backup for Windows-based devices.

365 Total Protection vs. Microsoft 365 E5/A5

Microsoft 365 E3 and Office 365 E3 seem to be the prevailing license subscriptions at organizations adopting Microsoft cloud services.

A lot of people responsible for information security at organizations may now ask themselves what the difference is between HornetSecurity’s 365 Total Protection and the additional benefits that Office 365 E5/A5 subscription licenses bring. I feel that for many organizations HornetSecurity’s 365 Total Protection offers answers to the common asks that drive organizations to subscribe to one or more of the following Microsoft subscriptions for their Exchange Online security challenges:

  • Microsoft 365 E5/A5
  • Microsoft 365 E5/A5 Compliance
  • Microsoft 365 E5/A5 Security
  • Office 365 E5/A5
  • Defender for Office 365

Safe attachments and safe links

The Safe Attachments and Safe Links functionality in Office 365 E5/A5 allow organizations to have Microsoft detonate attachments in sandboxes in Microsoft’s datacenters and rewrite URLs in messages so the recipient uses an intermediate process to access webservers. The same functionality is available in 365 Total Protection Enterprise through its ATP Sandboxing and URL Malware Control features.

Data loss prevention

Many organizations facing GDPR, CCPA and other regulations have embraced the idea of data loss prevention rules, helping people in the organization to handle PII data with care. You can define labels and apply data loss prevention policies based on these labels, but people have to apply the labels manually. Automatic labeling is a Microsoft 365 E5/A5 feature.

However, the main goal for many organizations that use Exchange Online to start dabbling with Data Loss Prevention is to have messages with PII data encrypted.  365 Total Protection’s Secure Cipher Policy Control and Global S/MIME & PGP Encryption features work together the provide that outcome. Just as Microsoft provides easy access to these encryption mechanisms, so does HornetSecurity. No hassle or self-hosted PKI, but an easy option to select.

Advanced Audit, Advanced eDiscovery and Threat Explorer

Part of Microsoft 365 E5’s benefits over its E3 capabilities are its Advanced Audit and Advanced eDiscovery features. Needless to say, organizations typically use these features in post-breach and legal situations.

365 Total Protection offers similar features. Its eDiscovery feature provides the same fine-grained search and export capabilities. However, its Forensic Analyses, Realtime Threat Report and Malware Ex Post Deletion focus specifically on post-breach situations, covering both external and insider threats.

Archiving

Organizations that have chosen Office 365 E1, Office 365 Business or Exchange Online Plan 1 and work with non-subscription versions of Outlook may also benefit largely from a 365 Total Protection subscription. Their licensing setups do not include the full archiving functionality. 365 Total Protection offers fully automatic Email Archiving with a 10-year Email Retention.

365 Total Protection vs. other solutions

For some of the other functionality that 365 Total Protection offers, other organization provide solutions, too.

Safe mail

Many point solutions exist offering email encryption. This feature is also present in all 365 Total Protection plans and is named Websafe. It allows communications with organizations that do not offer email encryption and offers functionality similar to the functionality offered by Trustify, SmartLockr and Zivver.

Email signatures

Email signatures have led to recurring nightmares for email admins. It’s the reason many on-premises organizations have embraced Exclaimer. 365 Total Protection offers the same functionality as part of the overall solution, but also throws in a Company Disclaimer and Intelligent Ads. It’s what your organization always wanted in emails, but did not realize until now.

Office 365 Backup and Restore

Many organizations feel that the replicas within Microsoft’s infrastructure and the resilience in that infrastructure offer sufficient data availability guarantees. As many Office 365 backup vendors would point out, the responsibility of your organization’s data is a shared responsibility. The Enterprise Backup tier of 365 Total Protection offers backups of your data.

By creating backups of the data in Microsoft 365 services, your organization can handle incidentally deleted data, purposely deleted data and its exit scenario with ease. In its top tier, 365 Total Protection offers this functionality as a service.

Continuity

However, restoring all data in case of a ransomware attack or even accessing your data when the Microsoft 365 services are unavailable is a pain. It always takes longer than you anticipate… 365 Total Protection’s Email Continuity Service provides the answer to these situations. Within seconds, your organization can get back to business as usual and have all the information they need right in their familiar Microsoft Outlook.

Windows Endpoint backup and restore

Microsoft’s vision for consuming data Microsoft 365 apps and services is focused on the device. Intune management may configure these endpoints with up to date Windows versions, up to data anti-malware measures and disk encryption, but it doesn’t help in situations where the device is otherwise encrypted, incapacitated or stolen. Productivity of your colleagues may depend on local data and settings on these devices and 365 Total Protection offers backups and restores, without the need for a VPN or other non-user-friendly setups.

Concluding

There are no organizations that rely on Microsoft-only software. Every organization uses software from at least one more vendor. When standardizing on Microsoft 365 services, several vendors offer solutions, but HornetSecurity is a vendor that has a complete vision on what it takes to truly do that. In a world where every vendor and supply partner is a potential data leak to happen (just look at the issues with SolarWinds, Kaseya and Log4J, just in the last 12 months…) having one vendor assisting your admins within an optimized solution might prove invaluable in the long run.

When an organization leverages Exchange Online as the main service of the Office 365 services available to them, it makes perfect sense to consider 365 Total Protection as an alternative to upgrading licenses to Office 365 E5/A5.

However, 365 Total Protection does not offer the rich integration with other Microsoft 365 and Office 365 services. SharePoint and Teams are no focus for the 365 Total Protection suites (except for Enterprise Backup). When Teams and SharePoint Online are in (heavy) use, E5 licenses may provide more value though its rich integration with all services.

Posted on January 13, 2022 by Sander Berkouwer in Altaro, Enterprise Security, Office 365

0  

The End of Mainstream Support is a Time to make an important Decision about Windows Server 2016

Today, January 12th 2022, the Mainstream Support on Windows Server 2016 ended. This Windows Server Operating System (OS) has been with us for the past five years and will remain with us for the next five years, just not as it used to. Therefore, today is a time to make an important decision.

The most value

Any IT system, service and implementation offers the most value when its technical lifetime exceeds the deprecation period; it’s economic lifetime.

Organizations, from a finances point of view don’t book the purchase of new systems, new licenses or IT implementations at the time of purchase. From a financial point of view each system and license (at least in Europe) and its corresponding implementation has remaining value after a year, after two years, after three years and in some cases after four years. That’s why most IT implementation have a deprecation period of four years.

‘Free’ IT

This jigsaw way of booking costs to the organization leads to an almost steady line of expenses in large organization, but can still be seen at smaller organizations. The situation at larger organizations leads to IT that seems ‘free’ when it is in use beyond its deprecation period.

“There’s nothing as cost-effective as a 17-year old Novell Netware server.”

– Sander Berkouwer

However, when IT suddenly comes knocking to replace systems like hypervisor platforms, storage and licenses, this might be considered intrusive, obnoxious and even downright cheeky. Ironically, it’s the way that management look at IT that is cheeky.

All of this leads to the use of Windows Server 2008 and Windows Server 2008 R2 installations, today. These systems were installed with a distorted perspective on the economic lifetime. Either, these systems were installed with Windows Server 2008 R2 when it was already 2018, or these systems are used beyond the ‘normal’ server deprecation period of five years.

Stop deploying Windows Server 2016 today

Windows Server 2016 is in mainstream support starting today. Not only does this mean that this particular Windows Server only gets security updates going forward, it also means that all support ends in five years. To be exact: support ends on January 12, 2027.

This seems like a mighty long time away, but it isn’t. At least, it’s not from a deprecation period point of view: Every new Windows Server 2016 installation that you perform from today onward will not be able to offer the most value to the organization.

To be clear: Every new Windows Server 2016 installation from now on leads to the same pile as that we’re currently still trying to clean up in terms of Windows Server 2008, Windows Server 2008 R2, Windows Server 2012 and Windows Server 2012 R2.

The only way to break this cycle is to stop deploying Windows Server 2016 today.

But what if…

… We can skip two Windows Server versions doing it our way

At many organizations, IT managers believe that they can skip two Windows Server versions in their migration strategies. Therefore, they only have to buy Windows licenses every nine to ten years, right?

Don’t kid yourselves. Today, these organizations aren’t migrating from Windows Server 2012 (R2) to Windows Server 2022. Nah, “it is too new”. Also, they won’t be able to migrate all their systems. Not even all their servers are running Windows Server 2012 (R2). In the past ten years, several applications have probably already raised the need for interim Windows Server versions.

… Our applications need deprecated Windows Server versions

Sure, I’ve encountered some multi-million-dollar lab equipment that still only works with Windows XP and mainframe systems that still require SMBv1. I feel your pain. But also, I’ve been constructively dealing with these situations. All these systems have been isolated into their own networking environments, some with their own dedicated Active Directory implementations. When the benefits of doing so outweigh the costs, this is a way to tackle that. Ironically, costs really add up over time to isolate these systems the right way. Starting isolation today is way easier than starting in four years time.

… management doesn’t approve of our migration plans

“If management still sees IT as a cost of doing business, your business will ultimately fail.”

– Sander Berkouwer

This is the hill I’m prepared to die on. There is no such thing as ‘free’ IT. Successful organizations spend up to 4% of their revenue. Studies show that the more an organization spends, the higher its success. If your organization faces a temporary cashflow challenge, then I feel that’s the only reason not to embark on sensible IT journeys. However, I would GTFO, as I like some guarantees for my wages to be paid.

Posted on January 12, 2022 by Sander Berkouwer in Microsoft Windows Server 2016, Recommended Practices, Setup and Deployment

3  

Wormable Critical HTTP Protocol Stack Remote Code Execution Vulnerability affects Windows Server 2019- and 2022-based AD FS Servers (CVE-2022-21907)

During its Patch Tuesday on January 11th, 2022, Microsoft addressed a Remote Code Execution (RCE) security vulnerabilities that affects Windows Server 2019- and Windows Server 2022-based Active Directory Federation Services (AD FS) servers.

About the vulnerability

CVE-2022-21907 details a remote code execution vulnerability that can be used to attack AD FS servers over the internet. An unauthenticated attacker could send a specially crafted packet to a targeted server utilizing the HTTP Protocol Stack (http.sys) to process packets and run malicious code on these hosts.

The HTTP Trailer response header allows the sender to include additional fields at the end of chunked messages in order to supply metadata that might be dynamically generated while the message body is sent, such as a message integrity check, digital signature, or post-processing status.

COMMON VULNERABILITY SCORING

This vulnerability is wormable and the attack complexity is rated low. Microsoft assigned a CVSSv3 score of 9.8/8.5.

Affected Operating Systems and configurations

AD FS servers running the following Windows Server versions are affected by this vulnerability:

  • Windows Server 2019
  • Windows Server, version 20H2
  • Windows Server 2022

HTTP Trailer support is enabled, by default, on AD FS servers running Windows Server 2022 and Windows Server version 20H2, but not on Windows Server 2019.

On Windows Server 2019-based AD FS servers, the feature needs to be manually enabled through the registry. Use the following line to check whether the HTTP Trailer support is enabled.

Get-ItemProperty "HKLM:\System\CurrentControlSet\Services\HTTP\Parameters" | Select-Object EnableTrailerSupport

When the above registry item exists, the above line returns the value 1 and the Windows Server 2019-based AD FS server is vulnerable.

Call to action

I urge you to install the necessary security updates on Windows Server 2019, Windows Server version 20H2 and Windows Server 2022 installations, acting as Active Directory Federation Services (AD FS) servers, in a test environment as soon as possible, assess the risk and possible impact on your production environment and then, roll out this update to these Windows Server installations, acting as Active Directory Federation Services (AD FS) servers, in the production environment.

Further reading

CVE-2022-21907 – Security Update Guide – Microsoft – HTTP Protocol Stack Remote Code Execution Vulnerability

Posted on January 11, 2022 by Sander Berkouwer in Active Directory Federation Services, Microsoft Windows Server 2019, Microsoft Windows Server 2022, Security Updates

0  

Three Active Directory vulnerabilities were addressed during Microsoft’s January 2022 Patch Tuesday

During its Patch Tuesday on January 11th, 2022, Microsoft addressed three Elevation of Privilege (EoP) security vulnerabilities in Active Directory components and protocols that can be attacked over the network.

About the vulnerabilities

Three vulnerabilities were addressed:

CVE-2022-21857 AD DS Elevation of Privilege Vulnerability

CVE-2022-21857 is a vulnerability that could allow an attacker to elevate privileges. This vulnerability is specific to Active Directory Domain Services environments with incoming trusts.

The CVSSv3 score of this vulnerability is 8.8/7.7.

An update is available for all supported Operating Systems. Prior to installing this update, an attacker could elevate privileges across the trust boundary under certain conditions.

CVE-2022-21913 LSA Domain Policy Remote Protocol Security Feature Bypass

CVE-2022-21913 is a vulnerability that could allow an attacker to bypass security features in the Local Security Authority’s domain policy.

Most likely, this vulnerability is along the same lines as Andrew Bartlett’s earlier discovery that Samba may map domain users to local users in an undesired way. Especially, as Proof of Concept (PoC) exploitation code is available.

The CVSSv3 score of this vulnerability is 5.3/4.8.

An update is available for all supported Operating Systems.

CVE-2022-21920 Kerberos Elevation of Privilege Vulnerability

CVE-2022-21920 is a vulnerability that could allow an attacker to elevate privileges. This vulnerability allows a domain user to elevate privileges to a domain admin. The attack complexity for this vulnerability is rated low.

The CVSSv3 score of this vulnerability is 8.8/7.5.

An update is available for all supported Operating Systems.

Call to action

I urge you to install the necessary security updates on Windows Server installations, running as Active Directory Domain Controllers, in a test environment as soon as possible, assess the risk and possible impact on your production environment and then, roll out this update to Windows Server installations, running as Active Directory Domain Controllers, in the production environment.

Further reading

CVE-2022-21920 – Windows Kerberos Elevation of Privilege Vulnerability 
CVE-2022-21857 – Active Directory Domain Services Elevation of Privilege Vulnerability 
CVE-2022-21913 – Local Security Authority (Domain Policy) Remote Protocol Security Feature Bypass

Posted on January 11, 2022 by Sander Berkouwer in Active Directory, Security Updates

0  

A Critical Remote Code Execution vulnerability in Veeam Backup for Azure was automatically addressed

Last week, Veeam identified a critical vulnerability in a component of its Backup for Microsoft Azure solution, that allows attackers to bypass authentication mechanisms and execute arbitrary code.

 

About Veeam Backup for Microsoft Azure

Veeam Backup for Microsoft Azure is a solution offered by Veeam to backup and restore Azure IaaS-based virtual machines and Azure SQL databases. The solution offers instance, volume and file-level recovery options.

The solution is available as a virtual machine instance from the Azure marketplace that stores snapshots in Azure blob storage tiers and offers a web-based management portal.

 

About the vulnerability

The Veeam Updater component of Veeam Backup for Microsoft Azure contains a critical vulnerability that allows attackers to bypass authentication mechanisms and execute arbitrary code.

Veeam has released a new version of the Veeam Updater component in Veeam Backup for Microsoft Azure. The vulnerability is addressed in version 5.0.0.633, and up. This version resolves the discovered vulnerability in Veeam Backup for Microsoft Azure.

The vulnerability was found during internal testing at Veeam. Veeam has assigned a CVSS v3 score of 10.0 to this vulnerability.

Affected products

The vulnerability was present in the Veeam Updater component in the following products:

  • Veeam Backup for Microsoft Azure 2.0
  • Veeam Backup for Microsoft Azure 3.0

 

Call to Action

Since January 6th, 2022, The Veeam Updater component will have automatically installed this fix during its daily check for updates and automatically resolved the vulnerability for implementations that are able to communicate to https://repository.veeam.com.

If the Veeam Backup for Microsoft Azure virtual machine instance does not have internet access, a manual update process is available. Please contact Veeam Support for assistance.

Further reading

KB4261: Veeam Backup for Microsoft Azure – Updater Component Vulnerability
Veeam Backup for Microsoft Azure – Updater Component Vulnerability
Native Azure Backup Software – Veeam Backup for Microsoft Azure

Posted on January 10, 2022 by Sander Berkouwer in Azure, Security Updates, Veeam, Veeam Vanguard

0  

What's New in Microsoft Defender for Identity in December 2021

Microsoft Defender for Identity

Microsoft Defender for Identity helps Active Directory admins defend against advanced persistent threats (APTs) targeting their Active Directory Domain Services infrastructures.

It is a cloud-based service, where agents on Domain Controllers provide signals to Microsoft's Machine Learning (ML) algorithms to detect and report on attacks. Its dashboard allows Active Directory admins to investigate (potential) breaches related to advanced threats, compromised identities and malicious insider actions.

Microsoft Defender for Identity was formerly known as Azure Advanced Threat Protection (Azure ATP) and Advanced Threat Analytics (ATA).

What's New

In December 2021, three new versions of Microsoft Defender for Identity were released:

  1. Version 2.165, released on December 6th, 2021
  2. Version 2.166, released on December 27th, 2021
  3. Version 2.167, released on December 29th, 2021

New security alert

A new security alerts was added: Suspicious modification of a sAMNameAccount attribute.

In this detection, initially released with Microsoft Defender for Identity release 2.166, a security alert is triggered whenever an attacker is trying to exploit CVE-2021-42278 and CVE-2021-42287, commonly referred to as the SAM Name impersonation and KDC Bamboozing vulnerabilities.

Microsoft introduced this detection in response to the publishing of these CVEs and encourages Active Directory admins to also deploy the following updates on Domain Controllers:

improvements and bug fixes

All three December 2021 Defender for Identity versions releases include improvements and bug fixes for the internal sensor infrastructure.

Posted on January 7, 2022 by Sander Berkouwer in Microsoft Defender for Identity, What's New

0  

On-premises Identity-related updates and fixes for December 2021

Windows Server

Even though Microsoft’s Identity focus moves towards the cloud, they are not forgetting their on-premises roots. Windows Server 2016, Windows Server 2019 and Windows Server 2022 still receive updates.

For December 2021, Microsoft announced that the preview updates would be skipped, because of minimal operations during the holidays and the upcoming Western new year. These is the short list of Identity-related updates and fixes we saw for December 2021:

Windows Server 2016

We observed the following update for Windows Server 2016:

KB5008207 December 14, 2021

The December 14, 2021 update for Windows Server 2016 (KB5008207), updating the OS build number to 14393.4825 is a monthly cumulative update.

Windows Server 2019

We observed the following updates for Windows Server 2019:

KB5008218 December 14, 2021

The December 14, 2021 update for Windows Server 2019 (KB5008218), updating the OS build number to 17763.2366 is a monthly cumulative update.

This security update addresses four Active Directory Elevation of Privilege vulnerabilities and includes the following Identity-related quality improvements:

It includes the following Identity-related quality improvements:

    1. It enables credentials for Azure Active Directory (Azure AD) users that use Active Directory Federation Services (AD FS) as their authentication method in Quick Assist.
    2. It addresses an issue that prevents the applications that you use often from appearing on the Start menu and prevents you from configuring them to appear on the Start menu using a Group Policy.

Windows Server 2022

We observed the following updates for Windows Server 2022:

KB5008223 December 14, 2021

The December 14, 2021 update for Windows Server 2022 (KB5008223), updating the OS build number to 20348.405 is a monthly cumulative update.

It includes one Identity-related quality improvement: It addresses an issue that fails to apply machine Group Policy objects automatically at startup or in the background to devices on a domain that have certain processors.

Posted on January 6, 2022 by Sander Berkouwer in Microsoft Windows Server 2016, Microsoft Windows Server 2019, Microsoft Windows Server 2022, What's New

0  

Azure AD Connect v2.0.89.0 addresses an issue with disappearing linked mailboxes

Azure AD Connect

Hot on the heels of Azure AD Connect v2.0.88.0, Microsoft released an update to Azure AD Connect v2.x. to address a pressing issue with linked mailboxes.

Note:
None of the Azure AD Connect v2.x releases are released for automatic upgrade. Manual upgrades are required to gain the new functionality and security levels once you're on the Azure AD Connect v2 path.

What’s Fixed

Microsoft addressed a bug in version 2.0.88.0 where, under certain conditions, linked mailboxes of disabled users were getting deleted.

About linked mailboxes

A linked mailbox is a mailbox that's associated with an external account.

The resource forest scenario is the prime example of a situation in which you would want to associate a mailbox with an external account. In a resource forest scenario, user objects in the Exchange forest have mailboxes, but the user objects are disabled for logon. You must associate these mailbox objects in the Exchange forest with enabled user objects in the external accounts forest(s).

While the resource forest scenario is one of the most obvious reasons for linked mailboxes, linked mailboxes can also be remnants of botched and/or incomplete Active Directory migrations using the Active Directory Migration Tool (ADMT) or any 3rd party migration solution(s).

A linked mailbox can also come to life when you orphan and then reattach an Exchange mailbox to another user, for instance a recreated user in case of an accidental deletion.

Version information

This is version 2.0.89.0 of Azure AD Connect.
This release in the 2.x branch for Azure AD Connect was made available for download as a 153 MB weighing AzureADConnect.msi on December 22, 2021.

You can download the latest version of Azure AD Connect here.

Posted on December 23, 2021 by Sander Berkouwer in Azure AD Connect, What's New

1  

Azure AD Connect v2.0.88.0 addresses a security issue in Microsoft.Data.OData and offers new functionality

Azure AD Connect

Roughly three months after the release of the last Azure AD Connect version, Microsoft released a security update to Azure AD Connect v2.x. to address a Denial of Service (DoS) vulnerability.

Microsoft recommends updating Azure AD Connect to v2.0.88.0 as soon as possible,

Note:
None of the Azure AD Connect v2.x releases are released for automatic upgrade. Manual upgrades are required to gain the new functionality and security levels once you're on the Azure AD Connect v2 path.

Note:
The upgrade to Azure AD Connect v2.0.88.0 triggers a full synchronization cycle, because synchronization rules have been modified.

 

What's New

Here's what's new in Azure AD Connect version v2.0.88.0:

Group writeback DN is now configurable

Microsoft added a configuration option to configure Group WriteBack with the display name of the synchronized group instead of the UUID.

Group WriteBack no longer requires the Exchange Schema

Microsoft removed the hard requirement for exchange schema when enabling Group WriteBack. This allows groups from Azure AD to be written back to Active Directory even when the Exchange Server schema extensions have not been added.

Azure AD Kerberos

For the recently announced Azure AD Kerberos functionality, the Azure AD Connect team extended the Windows PowerShell cmdlet to support custom top level names for trusted object creation and made a change to set the official brand name for the Azure AD Kerberos feature.

 

What's Fixed

Here's what's fixed in Azure AD Connect version v2.0.88.0:

  • Microsoft upgraded the version of the Microsoft.Data.OData package from v5.8.1 to v5.8.4 to address a Denial of Service (DoS) vulnerability
    in the OData protocol (CVE-2018-8269). This vulnerability is due to improperly handling web requests.
  • Microsoft made the Azure AD Connect wizard resizable to account for different zoom levels and screen resolutions and named elements to improve accessibility.
  • Microsoft addressed an issue where miisserver.exe was crashing due to a null reference.
  • Microsoft addressed an issue to ensure the seamless single sign-on (Desktop SSO)  value persists after upgrading Azure AD Connect to a newer version.
  • Microsoft modified the inetorgperson sync rules to fix an issue with account forests and resource forests.
  • Microsoft fixed radio button test to display a link more link.

 

Version information

This is version 2.0.88.0 of Azure AD Connect.
This release in the 2.x branch for Azure AD Connect was made available for download as a 153 MB weighing AzureADConnect.msi on December 15, 2021.

You can download the latest version of Azure AD Connect here.

Posted on December 16, 2021 by Sander Berkouwer in Azure AD Connect, Security Updates, What's New

0