Even though Microsoft’s Identity focus moves towards the cloud, they are not forgetting their on-premises roots. Windows Server 2016 and Windows Server 2019 still receive updates.

Note:
Although much attention was given this month to Secura’s ZeroLogon attack and the advice to update Windows Servers acting as Domain Controller immediately,, the underlying vulnerability was actually fixed as part of the August 2020 Cumulative updates…

These are the Identity-related updates and fixes we saw for September 2020:

Windows Server 2016

We observed the following updates for Windows Server 2016:

KB4577015 September 8, 2020

The September 8 update for Windows Server 2016 (KB4577015), updating the OS build number to 14393.3930 is a security update that includes quality improvements.

This update addresses five important vulnerabilities for Domain Controllers running as DNS Servers and contains an important update addresses a Spoofing Vulnerability in AD FS.

It includes an Identity-related quality improvement that provides the ability to set a Group Policy that displays only the domain and username when you sign in. This facilitates passwordless authentication using the Microsoft Authenticator App.

Additionally, this update addresses an Elevation of Privilege vulnerability in Group Policy (CVE-2020-1013), that could allow an attacker who successfully exploited this vulnerability to potentially escalate permissions or perform additional privileged actions on the target machine. To exploit this vulnerability, an attacker would need to launch a man-in-the-middle (MiTM) attack against the traffic passing between a Domain Controller and the target machine. An attacker could then create a group policy to grant administrator rights to a standard user. The security update addresses the vulnerability by enforcing Kerberos authentication for certain calls over LDAP.

Known issue with this update

A known issue with this update is an error when accessing the Security Options data view in the Group Policy Management Editor (gpedit.msc) or Local Security Policy Editor (secpol.msc). It maight fail with one of these two error messages:

MMC has detected an error in a snap-in. It is recommended that you shut down and restart MMC

MMC cannot initialize the snap-in

To mitigate this issue, you can install the Remote Server Administrative Tools (RSAT) on a device running Windows 10, version 1709 or later. This will allow you to run Group Policy Management Console and edit GPOs on the affected server.

Windows Server 2019

We observed the following updates for Windows Server 2019:

KB4570333 September 8, 2020

The September 8, 2020 update for Windows Server 2019 (KB4570333), updating the OS build number to 17763.1457 is a security update.

This update addresses five important vulnerabilities for Domain Controllers running as DNS Servers and contains an important update addresses a Spoofing Vulnerability in AD FS.

On the front of Group Policy, this update addresses an Elevation of Privilege vulnerability in Group Policy (CVE-2020-1013), that could allow an attacker who successfully exploited this vulnerability to potentially escalate permissions or perform additional privileged actions on the target machine. To exploit this vulnerability, an attacker would need to launch a man-in-the-middle (MiTM) attack against the traffic passing between a Domain Controller and the target machine. An attacker could then create a group policy to grant administrator rights to a standard user. The security update addresses the vulnerability by enforcing Kerberos authentication for certain calls over LDAP.

KB4577069 September 16, 2020

The September 16, 2020 update for Windows Server 2019 (KB4577069), updating the OS build number to 17763.1490 is an update that includes quality improvements:

• This update addresses an issue with using Group Policy Preferences to configure the homepage in Internet Explorer.
• This update provides the ability to set a Group Policy that displays only the domain and username when you sign in. This facilitates passwordless authentication using the Microsoft Authenticator App.
• This update addresses an issue that causes an access violation in lsass.exe when a process is started using the runas.exe command in some circumstances.
• This update addresses an issue that prevents the content under HKLM\Software\Cryptography from being carried over during Windows feature updates.
• This update addresses an issue that might create duplicate Foreign Security Principal directory objects for Authenticated and Interactive users in the domain partition. As a result, the original directory objects have “CNF” added to their names and are mangled. This issue occurs when you promote a new Active Directory Domain Controller using the CriticalReplicationOnly flag.
• This update adds new /compress functionality to the robocopy.exe command.
• This update adds Secure Sockets Layer (SSL) certificate authentication over HTTP/2.
• This update adds an Azure Active Directory (AAD) device token, that is sent to Windows Update (WU) as part of each update scan. Windows Update can use this token to query for membership in groups that contain Azure AD-joined devices.
• This update addresses an issue that fails to log events 5136 for group membership changes in certain scenarios. This occurs when you use the Permissive Modify control; for example, the Active Directory (AD) PowerShell modules use this control.
• This update addresses an issue with setting the Restrict delegation of credentials to remote servers Group Policy setting with the Restrict Credential Delegation mode on an RDP client. As a result, the Remote Desktop Session Host tries to use Require Remote Credential Guard mode first and will only use Require Restricted Admin if the server does not support Require Remote Credential Guard.