• Ensure AltSecID attribute on the krbgt account is not populated

    Home » Forums » Cyber Security Information and Advisories » Cyber Security for Business users » Ensure AltSecID attribute on the krbgt account is not populated

    • This topic has 2 replies, 2 voices, and was last updated 1 year ago.
    Author
    Topic
    Susan Bradley
    Manager
    May 17, 2022 at 11:12 am #2447354
    Options

    https://twitter.com/JosephRyanRies/status/1526218059786199042

    “If you manage an Active Directory, please do me a small favor. Make sure the AltSecID attribute on the krbtgt account is NOT populated PRIOR to deploying May updates to your DCs. There’s a bug, and trust me you don’t want to find it. (Not security related, just a crash)”altsec

    For more interesting reading….  https://adsecurity.org/?p=483

    Susan Bradley Patch Lady

    1 user thanked author for this post.
    NetDef
    Reply | Quote
    Viewing 1 reply thread
    Author
    Replies
    • NetDef
      AskWoody_MVP
      May 17, 2022 at 1:41 pm #2447372
      Options

      I remember a certification class several years ago on AD where this topic came up.  The instructor was very adamant that we should never – ever – touch this account nor it’s properties.

      Does not surprise me at all that internal MS testing on patches would assume this account to be unmodified.  Although I am dismayed at the apparent lack of error handling around this issue.  A LSASS level system crash is difficult to recover from!  Most admins I know would want to restore a cold metal backup on this event, but with AD in the mix that’s fraught with additional challenges.

      ~ Group "Weekend" ~

      Reply | Quote
    • Susan Bradley
      Manager
      May 17, 2022 at 9:56 pm #2447458
      Options

      Download – PingCastle

      More advice for Active Directory – try that tool to audit your AD

      Susan Bradley Patch Lady

      Reply | Quote
    Viewing 1 reply thread
    Reply To: Ensure AltSecID attribute on the krbgt account is not populated

    You can use BBCodes to format your content.
    Your account can't use all available BBCodes, they will be stripped before saving.

    Your information:




DON'T MISS OUT!
Subscribe to the Free Newsletter
We promise not to spam you. Unsubscribe at any time.
Invalid email address

View the Forum

  • Recent Replies
  • My Replies
  • My Active Topics
  • New Posts in the Last day
  • Private Messages
  • How to use the Forums
  • All Forums

    • Recent Topics

    June 2023
    S M T W T F S
     123
    45678910
    11121314151617
    18192021222324
    252627282930  

    Want to Advertise in the free newsletter? How about a gift subscription in honor of a birthday? Send an email to sb@askwoody.com to ask how.

    Mastodon profile for DefConPatch
    Mastodon profile for AskWoody

     

    Home About FAQ Posts & Privacy Forums My Account
    Register Free Newsletter Plus Membership Gift Certificates MS-DEFCON Alerts

    Copyright ©2004-2023 by AskWoody Tech LLC. All Rights Reserved.