Hopefully you have already seen the email IT Services sent out about the
group policy vulnerability and patch/mitigation with this month's patches.
This is a big one, and anyone running AD needs to take the time to deploy
the new mitigation group policy.
A link to the bulletin is here:
https://technet.microsoft.com/en-us/library/security/ms15-011.aspx
Computers enrolled in AD automatically parse the SYSVOL and NETLOGON shares
on their domain controllers for policies and scripts which are then executed
with administrative/root rights. Its possible to hijack that session and
have arbitrary code executed on your systems from a malicious user on your
network. There are a number of ways to be hit by this:
1) Workstations and laptops connecting over a wifi network could be easily
hijacked by a user on the same network. Requests to a domain controller
could be intercepted, allowing complete rooting of the system.
2) Wired networks are vulnerable from a malicious actor conducting an arp
poisoning attack against the network switches, intercepting connections to
the domain controllers and proving those systems with malicious group
policies/scripts.
3) If you do not practice proper network segmentation and leave your servers
and/or domain controllers in the same broadcast domain as workstations and
network ports are in unsecured locations, all your servers could also be
compromised the same as your workstations.
This patch backports functionality in Server 2012R2/Win8.1 to Vista/2008 and
above allowing specific servers or SMB share names to use additional server
validation and message signing to prevent this type of hijack attack. SMB
validation, signing, and encryption are all supported on XP/2003, but have
to be enable globally to all SMB connections which may cause compatibility
issues. This patch and its hardening features allows you to enable the
additional features on a per-server or share basis to prevent compatibility
issues.
Details on configuring the SMB Hardening feature are here:
https://support.microsoft.com/kb/3000483
If you are running a 2008 or newer domain controllers and most of your
systems are Vista/2008 or above, I would advise proceeding with pushing MS's
recommended configuration of the following:
\\*\NETLOGON RequireMutualAuthentication=1, RequireIntegrity=1
\\*\SYSVOL RequireMutualAuthentication=1, RequireIntegrity=1
For folks still on 2003 domain controllers, I recommend not setting the
RequireIntegrity option. Your domain controllers will not be able to handle
dynamically negotiating the integrity signing and all your client systems
will likely need a second reboot after the settings apply.
As with anything like this, please test things out before you apply it to
the whole domain. These are client-side security settings, so you can test
things out on a few systems in a test OU before you do the full deployment.
Good luck!
|
