On-premises Identity updates & fixes for February 2020

Windows Server

Even though Microsoft’s Identity focus moves towards the cloud, they are not forgetting their on-premises roots. Windows Server 2016 and Windows Server 2019 still receive updates. These are the updates and fixes we saw for February 2020:

Windows Server 2016

We observed the following updates for Windows Server 2016:

KB4537764 February 11, 2020

The February 11 update for Windows Server 2016 (KB4537764), updating the OS build number to 14393.3504 is a security update.

It addresses an Active Directory Elevation of Privilege vulnerability (CVE-2020-0665), reported by Dirk-Jan Mollema. The discovered vulnerability exists in the way Active Directory handles information for domains in a transitively trusted forest. To exploit this vulnerability, an attacker would first need to compromise a transitively trusted Active Directory forest. An attacker who successfully exploited this vulnerability could obtain administrative rights on a computer in a domain which trusts the Active Directory forest under the attacker's control. This update addresses the vulnerability by correcting how Active Directory handles information for domains in transitively trusted forests.

This update also contains a fix for a Windows Hyper-V Denial of Service Vulnerability (CVE-2020-0661). From within a virtual machine, an attacker with a privileged account on that guest operating system, could run a specially crafted application that causes a Hyper-V host to crash. As many Domain Controllers run virtually, this could possibly take down the entire networking environment.

 

KB4537806 February 25, 2020

The February 25 update for Windows Server 2016 (KB4537806), updating the OS build number to 14393.3542 is a quality update. It includes the following identity-related improvements:

  • It addresses an issue that generates an "unknown username or bad password" error when attempting to sign in. This occurs in an environment that has a Windows Server 2003-based Domain Controller and a Windows Server 2016 or later Domain Controller.
  • It addresses an issue that causes Transport Layer Security (TLS) sessions to fail with the error, "The request was aborted: Could not create SSL/TLS secure Channel."
  • It addresses an issue that prevents the Network Policy Server (NPS) accounting feature from functioning. This occurs when NPS is configured to use SQL for accounting with the new OLE (compound document) database driver (MSOLEDBSQL.dll) after switching to TLS 1.2.
  • It addresses an issue that causes Security Assertion Markup Language (SAML) errors and loss of access to third-party apps for users who do not have multi-factor authentication (MFA) enabled.
  • It addresses an issue that intermittently generates Online Certificate Status Protocol (OSCP) Responder audit events ( Event ID 5125) to indicate that a request was submitted to the OCSP Responder Service. However, there is no reference to the serial number or the domain name (DN) of the issuer of the request.
  • It addresses an issue with certificate validation that causes Internet Explorer mode in Microsoft Edge to fail.

Windows Server 2019

We observed the following updates for Windows Server 2019:

KB4532619 February 11, 2020

The February 11 update for Windows Server 2019 (KB4532619), updating the OS build number to 17763.1039 is a security update.

It addresses an Active Directory Elevation of Privilege vulnerability (CVE-2020-0665), reported by Dirk-Jan Mollema. The discovered vulnerability exists in the way Active Directory handles information for domains in a transitively trusted forest. To exploit this vulnerability, an attacker would first need to compromise a transitively trusted Active Directory forest. An attacker who successfully exploited this vulnerability could obtain administrative rights on a computer in a domain which trusts the Active Directory forest under the attacker's control. This update addresses the vulnerability by correcting how Active Directory handles information for domains in transitively trusted forests.

This update also contains a fix for a Windows Hyper-V Denial of Service Vulnerability (CVE-2020-0661). From within a virtual machine, an attacker with a privileged account on that guest operating system, could run a specially crafted application that causes a Hyper-V host to crash. As many Domain Controllers run virtually, this could possibly take down the entire networking environment.

KB4537818 February 25, 2020

The February 25 update for Windows Server 2019 (KB4537818), updating the OS build number to 17763.1075 is a quality update. It includes the following identity-related improvements:

  • It improves the accuracy of Windows Hello face authentication.
  • It addresses an issue that generates an "unknown username or bad password" error when attempting to sign in. This occurs in an environment that has a Windows Server 2003-based Domain Controller and a Windows Server 2016 or later Domain Controller.
  • It addresses an issue with sign in scripts that fail to run when a user signs in or signs out.
  • It addresses an issue that might cause Direct Access servers to use a large amount of non-paged pool memory (pooltag: NDnd).
  • It addresses an issue that prevents you from removing some local users from local built-in groups. For example, you cannot remove "Guest" from the "Guests" local group.
  • It addresses an issue that causes the Local Security Authority Subsystem Service (LSASS) to stop working and triggers a restart of the system. This issue occurs when invalid restart data is sent with a non-critical paged search control.
  • It addresses an issue that causes queries against large keys on Ntds.dit to fail with the error, "MAPI_E_NOT_ENOUGH_RESOURCES." This issue might cause users to see limited meeting room availability because the Exchange Messaging Application Programming Interface (MAPI) cannot allocate additional memory for the meeting requests.
  • It addresses an issue that intermittently generates Online Certificate Status Protocol (OSCP) Responder audit events ( Event ID 5125) to indicate that a request was submitted to the OCSP Responder Service. However, there is no reference to the serial number or the domain name (DN) of the issuer of the request.
  • It addresses an issue with certificate validation that causes Internet Explorer mode in Microsoft Edge to fail.

One Response to On-premises Identity updates & fixes for February 2020

leave your comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.