MC408406 – Reminder: Active Directory Domain Services Elevation of Privilege Vulnerability hardening changes as of April 11, 2023

cloudscout.one Icon

check before: 2023-04-11

Product:

Microsoft 365 Apps

Platform:

World tenant, Online

Status:

Change type:

Admin impact

Links:

Details:

Message summary:


In 2021, Microsoft addressed a security vulnerability bypass Active Directory Domain Services Elevation of Privilege Vulnerability This bypass allows certain users to set arbitrary values on security-sensitive attributes of specific objects stored in Active Directory (AD). To exploit this vulnerability, a user must have sufficient privileges to create a computer account, such as a user granted CreateChild permissions for computer objects. That user could create a computer account using a Lightweight Directory Access Protocol (LDAP) Add call that allows overly permissive access to the securityDescriptor attribute. Additionally, creators and owners can modify security-sensitive attributes after creating an account.

When will this happen:


These Windows updates will be released in two phases:
Initial deployment: Introduction of the update, including Audit-By-Default, Enforcement or Disable modes configurable using the dSHeuristics attribute.
Final deployment: Enforcement-By-Default.

Change Category:
XXXXXXX ...

Scope:
XXXXXXX ...

Release Phase:

Created:
2022-08-04

updated:
2022-08-27

the free basic plan is required to see all details. Sign up here


A cloudsocut.one plan is required to see all the changed details. If you are already a customer, choose login.
If you are new to cloudscout.one please choose a plan.


changes*

DatePropertyoldnew
2022-09-15MC prepareTo protect your environment and avoid outages, please complete the following steps:
Update all devices that host the Active Directory domain controller role by installing the latest Windows updates. This implements the changes in Audit mode by default.
Monitor the Directory Service event log for 3044-3056 events on domain controllers that have the November 9, 2021, or later Windows updates released before programmatic Enforcement mode. Logged events indicate that a user might have excessive privileges to create computer accounts with arbitrary security-sensitive attributes. Report any unexpected scenarios to Microsoft using a Premier or Unified Support case or the Feedback Hub. See the "Newly added events" section in the KB5008383: Active Directory permissions updates (CVE-2021-42291).
If Audit mode does not detect any unexpected privileges for a sufficient length of time, switch to Enforcement mode to ensure that no negative results occur. Report any unexpected scenarios to Microsoft using a Premier or Unified Support case or the Feedback Hub. Important Enforcement mode will be turned on by default in an upcoming update no sooner than April 11, 2023.



Additional information:
Active Directory Domain Services Elevation of Privilege Vulnerability
Active Directory permissions updates.
KB5008383: Active Directory permissions updates (CVE-2021-42291)
ps://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-4229
ps://support.microsoft.com/en-us/topic/536d5555-ffba-4248-a60e-d6cbc849cd
ps://support.microsoft.com/en-us/topic/kb5008383-active-directory-permissions-updates-cve-2021-42291-536d5555-ffba-4248-a60e-d6cbc849cd
To protect your environment and avoid outages, please complete the following steps:
Update all devices that host the Active Directory domain controller role by installing the latest Windows updates. This implements the changes in Audit mode by default.
Monitor the Directory Service event log for 3044-3056 events on domain controllers that have the November 9, 2021, or later Windows updates released before programmatic Enforcement mode. Logged events indicate that a user might have excessive privileges to create computer accounts with arbitrary security-sensitive attributes. Report any unexpected scenarios to Microsoft using a Premier or Unified Support case or the Feedback Hub. See the "Newly added events" section in the KB5008383: Active Directory permissions updates (CVE-2021-42291).
If Audit mode does not detect any unexpected privileges for a sufficient length of time, switch to Enforcement mode to ensure that no negative results occur. Report any unexpected scenarios to Microsoft using a Premier or Unified Support case or the Feedback Hub. Important Enforcement mode will be turned on by default in an upcoming update no sooner than April 11, 2023.



Additional information:
Active Directory Domain Services Elevation of Privilege Vulnerability
Active Directory permissions updates.
KB5008383: Active Directory permissions updates (CVE-2021-42291)
https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-42291
https://support.microsoft.com/en-us/topic/536d5555-ffba-4248-a60e-d6cbc849cde1
https://support.microsoft.com/en-us/topic/kb5008383-active-directory-permissions-updates-cve-2021-42291-536d5555-ffba-4248-a60e-d6cbc849cde1
2022-08-27MC prepareTo protect your environment and avoid outages, please complete the following steps:
Update all devices that host the Active Directory domain controller role by installing the latest Windows updates. This implements the changes in Audit mode by default.
Monitor the Directory Service event log for 3044-3056 events on domain controllers that have the November 9, 2021, or later Windows updates released before programmatic Enforcement mode. Logged events indicate that a user might have excessive privileges to create computer accounts with arbitrary security-sensitive attributes. Report any unexpected scenarios to Microsoft using a Premier or Unified Support case or the Feedback Hub. See the "Newly added events" section in the KB5008383: Active Directory permissions updates (CVE-2021-42291).
If Audit mode does not detect any unexpected privileges for a sufficient length of time, switch to Enforcement mode to ensure that no negative results occur. Report any unexpected scenarios to Microsoft using a Premier or Unified Support case or the Feedback Hub. Important Enforcement mode will be turned on by default in an upcoming update no sooner than April 11, 2023.



Additional information:
Active Directory Domain Services Elevation of Privilege Vulnerability
Active Directory permissions updates.
KB5008383: Active Directory permissions updates (CVE-2021-42291)
https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-42291
https://support.microsoft.com/en-us/topic/536d5555-ffba-4248-a60e-d6cbc849cde1
https://support.microsoft.com/en-us/topic/kb5008383-active-directory-permissions-updates-cve-2021-42291-536d5555-ffba-4248-a60e-d6cbc849cde1
To protect your environment and avoid outages, please complete the following steps:
Update all devices that host the Active Directory domain controller role by installing the latest Windows updates. This implements the changes in Audit mode by default.
Monitor the Directory Service event log for 3044-3056 events on domain controllers that have the November 9, 2021, or later Windows updates released before programmatic Enforcement mode. Logged events indicate that a user might have excessive privileges to create computer accounts with arbitrary security-sensitive attributes. Report any unexpected scenarios to Microsoft using a Premier or Unified Support case or the Feedback Hub. See the "Newly added events" section in the KB5008383: Active Directory permissions updates (CVE-2021-42291).
If Audit mode does not detect any unexpected privileges for a sufficient length of time, switch to Enforcement mode to ensure that no negative results occur. Report any unexpected scenarios to Microsoft using a Premier or Unified Support case or the Feedback Hub. Important Enforcement mode will be turned on by default in an upcoming update no sooner than April 11, 2023.



Additional information:
Active Directory Domain Services Elevation of Privilege Vulnerability
Active Directory permissions updates.
KB5008383: Active Directory permissions updates (CVE-2021-42291)
ps://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-4229
ps://support.microsoft.com/en-us/topic/536d5555-ffba-4248-a60e-d6cbc849cd
ps://support.microsoft.com/en-us/topic/kb5008383-active-directory-permissions-updates-cve-2021-42291-536d5555-ffba-4248-a60e-d6cbc849cd

*starting April 2022

Last updated 2 months ago

Login to your account

Welcome Back, We Missed You!