Today, for its December 2020 Patch Tuesday, Microsoft released an important security update for Active Directory Domain Services (AD DS).
About the vulnerability
About Protected Users
Protected Users is a global security group to which you can add new or existing users. Devices running Windows 8.1, Windows Server 2012 R2 and up have special behavior with members of this group to provide better protection against credential theft. For a member of the group, a Windows 8.1 device or a Windows Server 2012 R2 host does not cache credentials that are not supported for Protected Users. Members of this group have no additional protection if they are logged on to a device that runs a version of Windows earlier than Windows 8.1.
About Resource-based constrained delegation across domains
Kerberos constrained delegation can be used to provide constrained delegation when the front-end service and the resource services are not in the same domain. Service administrators are able to configure the new delegation by specifying the domain accounts of the front-end services which can impersonate users on the account objects of the resource services.
Addressing the vulnerability
To protect your environment and prevent outages, you must perform the following steps:
- Update all Active Directory Domain Controllers by installing the December 8, 2020 Windows update or a later Windows update. Be aware that installing the Windows update does not fully mitigate the security vulnerability. You must perform Step 2.
- Enable Enforcement mode on all Active Directory Domain Controllers, wait at least a full day to allow all outstanding Service for User to Self (S4U2self) Kerberos service tickets to expire. Then, enable full protection by deploying Enforcement mode. To do this, enable the Enforcement mode registry key:
- Open the Registry Editor (RegEdit.exe)
- Navigate to
- Locate the NonForwardableDelegation value.
- Set the registry key to 0.
The NonForwardableDelegation value can have the following data:
- 1 – Disabled (default): Forwarding is allowed on Kerberos service tickets that are marked as forwardable.
- 0 – Enabled in Enforcement mode (recommended): Forwarding is not allowed on Kerberos service tickets that are marked as forwardable.
The February 9, 2021 Windows update transitions into the enforcement phase. Enforcement phase enforces the changes to address CVE-2020-16996. Active Directory Domain Controllers will be in Enforcement mode unless the enforcement mode registry key is set to 1 (Disabled). If the Enforcement mode registry key is set, the setting will be honored. Going to Enforcement mode requires that all Active Directory Domain Controllers have the December 8, 2020 Windows update or a later update installed.
Affected Operating Systems
This security update is rated with a CVSS version 3 score of 6.5/5.7 for the following releases of Windows Server:
- Windows Server 2012
- Windows Server 2012 R2
- Windows Server 2016
- Windows Server 2019
- Windows Server, version 1903
- Windows Server, version 1909
- Windows Server, version 2004
- Windows Server, version 20H2
Microsoft has not identified any mitigating factors for this vulnerability.
Not being able to forwarding Kerberos service tickets that are marked as forwardable, may cause issues in the two following scenarios:
- A single service simultaneously uses original Kerberos Constrained Delegation (KCD) without protocol transition to one target while it is using Resource-based constrained delegation (RBCD) with protocol transition to another. After applying the update and enforcing non-forwarding of Kerberos service tickets that are marked as forwardable, the denial of protocol transition will apply to both styles of delegation.
- Resource-based constrained delegation (RBCD) is used in an Active Directory domain that uses Domain Controllers that are not updated with the December 8, 2020 Windows Update (or later) or running older versions of Windows Server (older than Window Server 2012) that do not have an available update for CVE-2020-16996. The Key Distribution Centers (KDCs) that are not updated will not flag S4USelf Kerberos service tickets as okay for delegation and protocol transition will be denied.
Call to action
I urge you to install the necessary security updates on Windows Server installations, acting as Domain Controllers and Read-only Domain Controllers, in a test environment as soon as possible, assess the risk and possible impact on your production environment and then, roll out this update to Windows Server installations, acting as Domain Controllers and Read-only Domain Controllers, in the production environment.
At least one day after roll-out of the Windows Update on all Domain Controllers in the environment, you need to change the data for the NonForwardableDelegation Registry value from 1 to 0.