Microsoft posts more details – but no apology – for botched permissions in MS16-072

Topic

New Reply

I guess y’all should’ve known in advance… InfoWorld Woody on Windows
[See the full post at: Microsoft posts more details – but no apology – for botched permissions in MS16-072]

Reply | Quote

Replies

What if we’ve already installed KB 3161561 from when the all clear was given?

Thanks, as always!

(I have been occasionally getting some kind of error on shut-down, but my laptop still shuts down after it pops up — I can’t remember what it says, and have no idea if it has something to do with this update or one of the others. But it only started after these last updates were installed.)

Reply | Quote

No problem at all. From the article:

The patch caused problems, though — not with client-side computers, but in the way admins have set permissions for Group Policies — on the server side of the fence.

So unless you’re running a network, you have no reason to be concerned.

Reply | Quote

We have used the MS provided Powershell script to scan servers prior to patching. This works, but they should have done this ahead of time.

There are plenty of older (SBS for example, that has some quirky pre-built GPOs) that may be lacking some of these privileges in group policies. Of course, one of my first steps with an SBS server is to block policy inheritance for it (as a domain controller) and link only the top-level policies that I really need, as we don’t use WSUS and it tends to lock out the Windows Update settings to the server.

Finally Woody, didn’t you realize? This is the NEW new Microsoft…they don’t apologize for anything. After all, it worked for Steve Jobs and Larry Ellison, right?

Reply | Quote

HA! Ah, the march of progress…

Reply | Quote

A PS script to “fix” the AD GPO schema is available here: http://www.jhouseconsulting.com/2016/06/29/script-to-modify-the-defaultsecuritydescriptor-attribute-on-the-group-policy-container-schema-class-object-1668

(until M$ gets their act together, if that ever happens.)

Reply | Quote

Thanks for the link @doktornotor
Jeremy Saunders has a very good understanding of the finest details of Windows and Citrix and more and the URL that you posted is a very good example of it.

Reply | Quote

The effected admins should be apologizing to their companies for not setting up “by the book” in the first place. We are talking about security policies here where mistakes like this are totally unacceptable.

Reply | Quote

Huh?! What on earth are you talking about? The issue here is caused by *default* permissions that get *automatically* applied by the GPO container schema in the AD as soon as you apply security filtering on a GPO. (Which – BTW – is something that M$ failed to fix altogether, even though that should have been done at the same time they’ve changed their mind about default secure permissions and released MS16-072)

Reply | Quote