News, tips, advice, support for Windows, Office, PCs & more. Tech help. No bull. We're community supported by donations from our Plus Members, and proud of it
Home icon Home icon Home icon Email icon RSS icon
  • Patch Lady – make sure your domain controllers are patched

    Posted on Susan Bradley Comment on the AskWoody Lounge

    Home Forums AskWoody blog Patch Lady – make sure your domain controllers are patched

    Viewing 5 reply threads
    • Author
      Posts
      • #2298639 Reply
        Susan Bradley
        AskWoody MVP

        Microsoft is seeing active attacks for the “Zerologon” exploit that could take over a domain.  Note this is not important for home users, only domain
        [See the full post at: Patch Lady – make sure your domain controllers are patched]

        Susan Bradley Patch Lady

        1 user thanked author for this post.
      • #2298652 Reply
        gborn
        AskWoody_MVP

        Just to remember, that also Samba is vulnerable. I had compiled a few pieces here:

        Zerologon Exploits are used in the wild, patching (Windows Server, Samba) recommended

        Microsoft Windows Insider MVP, Microsoft Answers Community Moderator, Blogger, Book author

        https://www.borncity.com/win/

        2 users thanked author for this post.
      • #2298666 Reply
        woody
        Da Boss

        0patch has released a micropatch for Server 2008 R2.

      • #2298681 Reply
        tf231909
        AskWoody Plus

        Is there anything in the SEPTEMBER patches to protect domain controllers that was NOT in the AUGUST patches?  I have the August patches on my DCs, but hadn’t put the September ones on yet – DEFCON 2 and all.

        • #2298719 Reply
          Susan Bradley
          AskWoody MVP

          August is good enough, you do not need Sept patches on there.

          Susan Bradley Patch Lady

      • #2298682 Reply
        anonymous
        Guest

        Don’t forget that patching DCs is not enough – to enable enforcement mode, you need to set a registry key as well:

        HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Netlogon\Parameters

        FullSecureChannelProtection = 1

        You’ll want to do this before the February patch, which will permanently set the secure channel protection to active and will ignore that registry key.  So you’ll need to make sure there are no problems on the domain before then.

        • #2298691 Reply
          tf231909
          AskWoody Plus

          Is that registry setting read only at startup?  Meaning, do you have to reboot the DCs after making that change?  Thanks!

          • #2298700 Reply
            anonymous
            Guest

            According to the MS article, they mark the reboot as not needed.  I haven’t tested personally.

      • #2298788 Reply
        RobMan
        AskWoody Lounger

        You don’t want to just blindly set that registry key after installing the August updates. You first need to observe the logs for a period of time and determine if you have some devices that are not able to use Secure RPC and add them to the exception group (or remediate them so that they are compliant).

        This article explains the process:

        https://support.microsoft.com/en-us/help/4557222/how-to-manage-the-changes-in-netlogon-secure-channel-connections-assoc

         

    Viewing 5 reply threads

    Please follow the -Lounge Rules- no personal attacks, no swearing, and politics/religion are relegated to the Rants forum.

    Reply To: Patch Lady – make sure your domain controllers are patched

    You can use BBCodes to format your content.
    Your account can't use Advanced BBCodes, they will be stripped before saving.