Today, for its December 2020 Patch Tuesday, Microsoft released an important security update for Active Directory Domain Services (AD DS).
About the vulnerability
A Kerberos Security Feature Bypass vulnerability exists in Microsoft’s implementation of the Kerberos network authentication protocol. This vulnerability is described in detail in CVE-2020-16996.
If you use Protected Users and Resource-Based Constrained Delegation (RBCD), a security vulnerability may exist on Active Directory Domain Controllers.
About Protected Users
Protected Users is a global security group to which you can add new or existing users. Devices running Windows 8.1, Windows Server 2012 R2 and up have special behavior with members of this group to provide better protection against credential theft. For a member of the group, a Windows 8.1 device or a Windows Server 2012 R2 host does not cache credentials that are not supported for Protected Users. Members of this group have no additional protection if they are logged on to a device that runs a version of Windows earlier than Windows 8.1.
About Resource-based constrained delegation across domains
Kerberos constrained delegation can be used to provide constrained delegation when the front-end service and the resource services are not in the same domain. Service administrators are able to configure the new delegation by specifying the domain accounts of the front-end services which can impersonate users on the account objects of the resource services.
Addressing the vulnerability
To protect your environment and prevent outages, you must perform the following steps:
- Update all Active Directory Domain Controllers by installing the December 8, 2020 Windows update or a later Windows update. Be aware that installing the Windows update does not fully mitigate the security vulnerability. You must perform Step 2.
- Enable Enforcement mode on all Active Directory Domain Controllers, wait at least a full day to allow all outstanding Service for User to Self (S4U2self) Kerberos service tickets to expire. Then, enable full protection by deploying Enforcement mode. To do this, enable the Enforcement mode registry key:
- Open the Registry Editor (RegEdit.exe)
- Navigate to
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Kdc - Locate the NonForwardableDelegation value.
- Set the registry key to 0.
The NonForwardableDelegation value can have the following data:
- 1 – Disabled (default): Forwarding is allowed on Kerberos service tickets that are marked as forwardable.
- 0 – Enabled in Enforcement mode (recommended): Forwarding is not allowed on Kerberos service tickets that are marked as forwardable.
Note:
The February 9, 2021 Windows update transitions into the enforcement phase. Enforcement phase enforces the changes to address CVE-2020-16996. Active Directory Domain Controllers will be in Enforcement mode unless the enforcement mode registry key is set to 1 (Disabled). If the Enforcement mode registry key is set, the setting will be honored. Going to Enforcement mode requires that all Active Directory Domain Controllers have the December 8, 2020 Windows update or a later update installed.
Affected Operating Systems
This security update is rated with a CVSS version 3 score of 6.5/5.7 for the following releases of Windows Server:
- Windows Server 2012
- Windows Server 2012 R2
- Windows Server 2016
- Windows Server 2019
- Windows Server, version 1903
- Windows Server, version 1909
- Windows Server, version 2004
- Windows Server, version 20H2
Mitigations
Microsoft has not identified any mitigating factors for this vulnerability.
Known issues
Not being able to forwarding Kerberos service tickets that are marked as forwardable, may cause issues in the two following scenarios:
- A single service simultaneously uses original Kerberos Constrained Delegation (KCD) without protocol transition to one target while it is using Resource-based constrained delegation (RBCD) with protocol transition to another. After applying the update and enforcing non-forwarding of Kerberos service tickets that are marked as forwardable, the denial of protocol transition will apply to both styles of delegation.
- Resource-based constrained delegation (RBCD) is used in an Active Directory domain that uses Domain Controllers that are not updated with the December 8, 2020 Windows Update (or later) or running older versions of Windows Server (older than Window Server 2012) that do not have an available update for CVE-2020-16996. The Key Distribution Centers (KDCs) that are not updated will not flag S4USelf Kerberos service tickets as okay for delegation and protocol transition will be denied.
Call to action
I urge you to install the necessary security updates on Windows Server installations, acting as Domain Controllers and Read-only Domain Controllers, in a test environment as soon as possible, assess the risk and possible impact on your production environment and then, roll out this update to Windows Server installations, acting as Domain Controllers and Read-only Domain Controllers, in the production environment.
At least one day after roll-out of the Windows Update on all Domain Controllers in the environment, you need to change the data for the NonForwardableDelegation Registry value from 1 to 0.
Further reading
Managing deployment of RBCD/Protected User changes for CVE-2020-16996
CVE 2020 16996 Kerberos Security Feature Bypass Vulnerability
Hello Sander,
First of all, thanks for your great blog.
Our environment has two AD forests. Users in Forest A and Exchange servers in Forest B. We also have email user objects in child domain of Forest B.
We have deployed update to all our DCs in Forest B, but we have not enabled the registry key yet. I do have some concerns how enabling Enforcement mode in DCs affects our users ability to access their mails in Forest A.
Unfortunately we don't have proper test environment available to thoroughly test this in advance. I have read the articles few times, but I still don't have clear understanding what the ramifications are.