On-premises Identity-related updates and fixes for January 2021

Even though Microsoft’s Identity focus moves towards the cloud, they are not forgetting their on-premises roots. Windows Server 2016 and Windows Server 2019 still receive updates.

These are the Identity-related updates and fixes we saw for January 2021:

 

Windows Server 2016

We observed the following update for Windows Server 2016:

KB4598243 January 12, 2021

The January 12, 2021 update for Windows Server 2016 (KB4598243), updating the OS build number to 14393.4169 is a security update that includes quality improvements. For the security-related part of this update, please refer to KB4598230 below.

This update includes the following improvements:

  • This update adds the ability to set a Group Policy to show only the domain and username when a user signs in.
  • It addresses an issue that delays authentication traffic because of Netlogon scalability issues.
  • It addresses an issue in which a principal in a trusted MIT realm fails to obtain a Kerberos service ticket from Active Directory Domain Controllers. This occurs on devices that have installed Windows Updates that contain CVE-2020-17049 protections and have configured the PerfomTicketSignature registry setting to 1 or higher. Ticket acquisition also fails with the following error, if callers submit a PAC-less Ticket Granting Ticket (TGT) as an evidence ticket without providing the USER_NO_AUTH_DATA_REQUIRED flag:

KRB_GENERIC_ERROR

 

Windows Server 2019

We observed the following update for Windows Server 2019:

KB4598230 January 12, 2021

The January 12, 2021 update for Windows Server 2019 (KB4598230), updating the OS build number to 17763.1697 is a security update.

For organizations leveraging Microsoft Defender as their anti-malware solution, the most critical vulnerability addressed during this Patch Tuesday is the zero-day Microsoft Defender remote code execution (RCE) vulnerability, known as CVE-2021-1647. Microsoft Defender engine version 1.1.17700.4 addresses the vulnerability.

The NTLM security feature bypass vulnerability, known as CVE-2021-1678, describes a vulnerability that exists in the way the Printer Remote Procedure Call (RPC) binding handles authentication for the remote Winspool interface. The January 2021 cumulative update addresses this important vulnerability in combination with the RpcAuthnLevelPrivacyEnabled Registry key on print servers to enforce to increase the RPC authentication level.

CVE-2021-1679 describes an important Denial of Service (DoS) vulnerability in the Windows CryptoAPI that can be performed over the network.

CVE-2021-1676 describes an important information disclosure vulnerability in the NTLM datagram receiver driver.

CVE-2021-1637 describes an important information disclosure vulnerability in the Windows DNS Query. An attacker who successfully exploited this vulnerability can view uninitialized memory. The attack can only be leveraged locally.

KB4598269 January 21, 2021

The January 21, 2021 update for Windows Server 2019 (KB4598296), updating the OS build number to 17763.1728 is a non-security update that includes the following identity-related improvements:

  • It addresses an issue that occurs when the Mandatory Profile check box is selected when you copy a user profile.
  • It addresses an issue that displays a blank lock screen after a device wakes up from Hibernate.
  • It addresses an issue that causes an unexpected system restart because of exception code 0xc0000005 (Access Violation) in lsass.exe. the faulting module is webio.dll.
  • It addresses an issue that cause the lsass.exe process to leak memory on a server that is under a heavy authentication load when Kerberos Armoring (Flexible Authentication Secure Tunneling (FAST)) is enabled.
  • It addresses an issue that causes lsass.exe to stop working because of a race condition that results in a double free error in Schannel. The exception code is c0000374, and the Event Log displays Schannel event 36888, fatal error code 20, and error state 960. This issue occurs after installing Windows updates from September 2020 and later.
  • It addresses a memory leak on Windows Server installations that are configured as Active Directory Domain Controllers. This issue occurs when the Key Distribution Center (KDC) attempts to fetch the Service for User (S4U) client name during certificate authentication.
  • It addresses an issue in which a principal in a trusted MIT realm fails to obtain a Kerberos service ticket from Active Directory Domain Controllers. This occurs on devices that have installed Windows Updates that contain CVE-2020-17049 protections and have configured the PerfomTicketSignature registry setting to 1 or higher. Ticket acquisition also fails with the following error, if callers submit a PAC-less Ticket Granting Ticket (TGT) as an evidence ticket without providing the USER_NO_AUTH_DATA_REQUIRED flag:

KRB_GENERIC_ERROR

  • It addresses an issue with web applications that use cross-origin resource sharing (CORS) pre-flighting against Active Directory Federation Services (AD FS) token endpoints. These web applications might suddenly stop working when they call AD FS from external networks.
  • It addresses an issue with Administrative Template settings you configure using a Group Policy Object (GPO). When you change the value of the policy settings to Not configured, the system fails to remove the previous settings. This issue is most noticeable with roaming user profiles.

Posted on February 2, 2021 by Sander Berkouwer in Active Directory, Active Directory Federation Services, Microsoft Windows Server 2016, Microsoft Windows Server 2019, Security Updates

leave your comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.