Yesterday, Microsoft released update 3163622 as part of its June 2016 Patch Tuesday to address an important vulnerability that affects Group Policy on Windows 10.
About the vulnerability
The vulnerability could allow elevation of privilege if an attacker launches a man-in-the-middle (MiTM) attack against the traffic passing between a domain controller and the target machine.
About the update
The security update addresses the vulnerability by enforcing Kerberos authentication for certain calls over LDAP.
Affected Operating Systems
The following supported Microsoft Windows and Windows Server Operating System versions are affected by this vulnerability:
- Windows 10
- Windows 10 Version 1511
- Windows Server 2012 R2 Datacenter
- Windows Server 2012 R2 Standard
- Windows Server 2012 R2 Essentials
- Windows Server 2012 R2 Foundation
- Windows 8.1 Enterprise
- Windows 8.1 Pro
- Windows 8.1
- Windows RT 8.1
- Windows Server 2012 Datacenter
- Windows Server 2012 Standard
- Windows Server 2012 Essentials
- Windows Server 2012 Foundation
- Windows Server 2008 R2 Service Pack 1
- Windows 7 Service Pack 1
- Windows Server 2008 Service Pack 2
- Windows Vista Service Pack 2
KB3159398 addresses this vulnerability on Windows Vista, Windows Server 2008, Windows 7, Windows Server 2008 R2, Windows 8.1 and Windows Server 2012 R2.
This security update is rated Important for all supported releases of Microsoft Windows.
A system restart is required after you apply this security update.
On Windows 10, updates KB3163017 and KB3163018 replace KB3156387 Cumulative Update for Windows 10: May 2016.
Domain-joined systems with servers running Windows Server 2012 and above and clients running Windows 8 and above are protected from this vulnerability by the Kerberos armoring feature.
Microsoft has not identified any workarounds for these vulnerabilities.
KB3159398 changes the security context with which user group policies are retrieved. This by-design behavior change protects customers’ computers from this security vulnerability. Before KB3159398 is installed, user group policies were retrieved by using the user’s security context. After KB3159398 is installed, user group policies are retrieved by using the machines security context. This breaks Group Policy Objects (GPOs) that don't have the Read permission assigned to Authenticated Users on the Delegation tab. Group Policy MVP Darren Mar-Elia wrote a Windows PowerShell script to add Read permissions to Authenticated Users to the Group Policy objects (GPOs) in your environment.
Call to action
When your organization still utilizes Windows Vista-based and/or Windows 7-based devices, and/or still uses Windows Server 2008 and/or Windows Server 2008 R2-based Domain Controllers, check if your environment is impacted by running the assessment script, Ian Farr wrote and shared on the TechNet blogs. If need be, run Darren's script to reset permissions. Then, I urge you to install KB3159398 on domain-joined systems running the aforementioned Operating Systems , and KB3163017 and/or KB3163018 on domain-joined systems running Windows 10.
However, when all Domain Controllers in domains affected clients use are running Windows Server 2012, or up, and running the Windows Server 2012 Domain Functional Level (DFL), or up, you can require client devices running Windows 8, or up, to require Kerberos Armoring (Flexible Authentication Secure Tunneling (FAST) RFC 6113). This is the best security measure to take in this case.
Kerberos Armoring saved your day.