 |
 |
Hopefully you have already seen the email IT Services sent out about the group policy vulnerability and patch/mitigation with this month's patches. This is a big one, and anyone running AD needs to take the time to deploy the new mitigation group policy. A link to the bulletin is here: https://technet.microsoft.com/en-us/library/security/ms15-011.aspx Computers enrolled in AD automatically parse the SYSVOL and NETLOGON shares on their domain controllers for policies and scripts which are then executed with administrative/root rights. Its possible to hijack that session and have arbitrary code executed on your systems from a malicious user on your network. There are a number of ways to be hit by this: 1) Workstations and laptops connecting over a wifi network could be easily hijacked by a user on the same network. Requests to a domain controller could be intercepted, allowing complete rooting of the system. 2) Wired networks are vulnerable from a malicious actor conducting an arp poisoning attack against the network switches, intercepting connections to the domain controllers and proving those systems with malicious group policies/scripts. 3) If you do not practice proper network segmentation and leave your servers and/or domain controllers in the same broadcast domain as workstations and network ports are in unsecured locations, all your servers could also be compromised the same as your workstations. This patch backports functionality in Server 2012R2/Win8.1 to Vista/2008 and above allowing specific servers or SMB share names to use additional server validation and message signing to prevent this type of hijack attack. SMB validation, signing, and encryption are all supported on XP/2003, but have to be enable globally to all SMB connections which may cause compatibility issues. This patch and its hardening features allows you to enable the additional features on a per-server or share basis to prevent compatibility issues. Details on configuring the SMB Hardening feature are here: https://support.microsoft.com/kb/3000483 If you are running a 2008 or newer domain controllers and most of your systems are Vista/2008 or above, I would advise proceeding with pushing MS's recommended configuration of the following: \\*\NETLOGON RequireMutualAuthentication=1, RequireIntegrity=1 \\*\SYSVOL RequireMutualAuthentication=1, RequireIntegrity=1 For folks still on 2003 domain controllers, I recommend not setting the RequireIntegrity option. Your domain controllers will not be able to handle dynamically negotiating the integrity signing and all your client systems will likely need a second reboot after the settings apply. As with anything like this, please test things out before you apply it to the whole domain. These are client-side security settings, so you can test things out on a few systems in a test OU before you do the full deployment. Good luck!