On-premises Identity updates & fixes for January 2020

Windows Server

Even though Microsoft’s Identity focus moves towards the cloud, they are not forgetting their on-premises roots. Windows Server 2016 and Windows Server 2019 still receive updates. These are the updates and fixes we saw for January 2020:

 

Windows Server 2016

We observed the following updates for Windows Server 2016:

KB4534271 January 14, 2020

The January 14 update for Windows Server 2016 (KB4534271), updating the OS build number to 14393.3443 is an update that combines security and quality improvements.

This update addresses a vulnerability in CryptoAPI (Crypt32.dll), the default Windows cryptographic library. This is a vulnerability that was discovered and reported to Microsoft by the NSA. Due to the severity of this vulnerability, we have already urged identity admins to install this update as soon as possible.

The second thing of interest is this update is the support for the new SameSite cookie policies that are the defaults for Google Chrome 80 and internet browsers based on the Chromium engine. Firefox is developing the same feature. The new policy to treat cookies as SameSite:Lax by default if no SameSite attribute is specified, affects many web-based services, including Active Directory Federation Services (AD FS) servers and Web Application Proxies.

Chrome 80 was released on February 4, 2020.

KB4534307 January 23, 2020

The January 23 update for Windows Server 2016 (KB4534307), updating the OS build number to 14393.3474 is a quality update. It includes the following identity-related improvements:

  • It addresses an issue that causes queries against large keys on Ntds.dit to fail with the error MAPI_E_NOT_ENOUGH_RESOURCES.
  • It addresses an issue in which netdom.exe fails to correctly identify Active Directory trust relationships when an unconstrained delegation is explicitly enabled by adding bitmask 0x800 to the trust object. The bitmask setting is required because of security changes to the default behavior of unconstrained delegations in Windows updates released on or after July 8, 2019.

See KB4490425 for more information on the latter issue.

 

Windows Server 2019

We observed the following updates for Windows Server 2019:

KB4534273 January 14, 2020

The January 14 update for Windows Server 2019 (KB4534273), updating the OS build number to 17763.973, is an update that combines security and quality improvements.

Windows Server 2019 Patch Tuesday January 2020 Overview

Among other vulnerabilities and issues (see above), this update addresses a vulnerability in CryptoAPI (Crypt32.dll), the default Windows cryptographic library. This is a vulnerability that was discovered and reported to Microsoft by the NSA. Due to the severity of this vulnerability, we have already urged identity admins to install this update as soon as possible.

The second thing of interest is this update is the support for the new SameSite cookie policies that are the defaults for Google Chrome 80 and internet browsers based on the Chromium engine. Firefox is developing the same feature. The new policy to treat cookies as SameSite:Lax by default if no SameSite attribute is specified, affects many web-based services, including Active Directory Federation Services (AD FS) servers and Web Application Proxies.

Chrome 80 was released on February 4, 2020.

KB4534321 January 23, 2020

The January 23 update for Windows Server 2019 (KB4534321), updating the OS build number to 17763.1012 is a quality update. It includes the following identity-related improvements:

  • It addresses an issue with the multifactor unlock policy of Windows Hello for Business that fails to show the default option to sign in.
  • It addresses an issue that causes the Local Security Authority Subsystem Service (LSASS) process to stop working when you sign in using an updated user principal name (UPN). The error code is 0xc0000005 (STATUS_ACCESS_VIOLATION).
  • It addresses an issue with ntdsutil.exe that prevents you from moving Active Directory database files. The error is: error 5 (Access is denied).
  • It addresses an issue that corrupts a log file when a storage volume is full and data is still being written to the Extensible Storage Engine Technology (ESENT) database.
  • It addresses an issue in which netdom.exe fails to correctly identify Active Directory trust relationships when an unconstrained delegation is explicitly enabled by adding bitmask 0x800 to the trust object. The bitmask setting is required because of security changes to the default behavior of unconstrained delegations in Windows updates released on or after July 8, 2019.

See KB4490425 for more information on the last issue.

leave your comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.