Many people might argue that November 2022 was a bad month for Active Directory. Yet, Microsoft’s intentions with the November 8, 2022, Windows Server cumulative updates were good.
Updates to Azure AD Connect, Azure AD and Defender for Identity might make identity admins take their breaths toward the inescapable Christmas time as they saw updates and improvements this last month. Let’s dive in!
Authentication Outages & Domain Controller Instability
For its November 2022 Patch Tuesday, Microsoft released security updates to address critical vulnerabilities in Active Directory that would otherwise leave organizations vulnerable to adversaries abusing these vulnerabilities. However, diligently updating the Windows Server installations of Domain Controller might have cost security-minded identity admins dearly this last month. When RC4 (“Arc Four”) was disabled for user objects, computer objects, trust objects and/or group Managed Service Accounts (gMSAs), authentication outages occurred after installing the November 8, 2022, cumulative updates. These updates introduced a mismatch that prevented sign-ins with these objects. Several workarounds floated around until Microsoft addressed the issue with an out-of-band update on November 17, 2022.
The out-of-band update could only be installed after admins manually downloaded them from the Microsoft Update Catalog.
Adding to injury, on top of these Kerberos protocol hardening measures that were introduced to address CVE-2022-37966, Microsoft introduced hardening measures to address another vulnerability; CVE-2022-37967. These updates introduced Domain Controller instability due to LSASS memory leaks… The solution Microsoft offers, to this date, is to roll back the security measures, leaving Active Directory vulnerable. That’s a hard choice: Having vulnerable Domain Controllers or having randomly rebooting Domain Controllers… Luckily, Active Directory admins running Windows Server 2022 on their Domain Controllers are not affected with this particular issue.
It wasn’t all bad, though. An issue that affects the Microsoft Azure Active Directory (AAD) Application Proxy connector was also addressed during the November 2022 updates.
Windows 10 & Windows 11
Organizations running Windows 10 and Windows 11 also got some additional presents with the updates for these Operating System. As part of the updates, an issue is addressed that prevented the credentials interface from showing properly in IE Mode. Also, Windows 10 and Windows 11 are now compliant with US Government (USG) version 6 revision 1 (USGv6-r1).
Azure Active Directory
If you’re an admin for a U.S.-based government organization, you have probably already heard the news about all the new regulations that you now have to adhere to. While many of the stipulations in the FIPS 140, FAR 2015-041 and EO 14028 seem like open doors, some of the services we use on a daily basis fall short of these regulations. As Azure AD currently does not offer IPv6 connectivity, it falls short. As many organizations tend to use these regulations as the basis for their own guidelines, it's a good sign that Microsoft is planning on providing IPv6 connectivity to Azure AD. It means that when an organization chooses to do so, the Azure AD services can now be used in IPv6-only environments. Over the coming months, Microsoft will provide more and more services that support IPv6, besides Named Locations…
Additionally, the Authenticator app on iOS, if running v6.6.8, or beyond is now FIPS 140 compliant.
Defender for Identity
Just like in Active Directory, November 2022 was mostly a month in which many issues in Defender for Identity were addressed. An additional health alert around the required auditing policies was introduced in version 2.194 on November 10, 2022.
This version also addresses issues with honeytoken accounts and includes improvements and bug fixes for the internal sensor infrastructure.
Active Directory is at the core of every networking environment. Many environments were impacted by Microsoft’s November 2022 cumulative updates when organizations installed these on their Domain Controllers.
For some, this past month pushed them from the Active Directory tiered administration model to the tired administration model…
Do you need Active Directory Monitoring & Reporting?
Active Directory is the foundation of your network, and the structure that controls access to the most critical resources in your organization. The ENow Active Directory Monitoring and Reporting tool uncovers cracks in your Active Directory that can cause a security breach or poor end-user experience and enables you to quickly identify and remove users that have inappropriate access to privileged groups (Schema Admins, Domain Administrators). While ENow is not an auditing software, our reports reduce the amount of work required to cover HIPAA, SOX, and other compliance audits.
Access your FREE 14-day trial to accelerate your security awareness and simplify your compliance audits. Includes entire library of reports.