Replies

Correct syntax (if WordPress doesn’t mess up the quotation marks):

reg delete "HKLM\System\CurrentControlSet\services\KDC" /v "KrbtgtFullPacSignature"

So now that December patches have been installed successfully (“Resolved KB5021235“), are we good to remove the temporary registry value? This should work, right?

reg delete “HKLM\System\CurrentControlSet\services\KDC” -v “KrbtgtFullPacSignature”

Seems like 2012R2 updates may not be cumulative (as they are with 2016+). Might need to install November before December, but you could still wait until December. The machine should tell you what’s applicable.

Thanks for the heads-up. I’m going the regedit route on four DCs to which I applied November updates and OOB fixes in the past week. Notes:

• Two Server 2016 machines show lsass.exe using about 72K of memory on each machine. The registry key did not exist on either. Adding.
• Two Server 2012R2 machines shows lasss.exe using 100K and 161K of memory. The registry key did not exist on either. Adding.

I don’t see any reboot requirement for applying this fix?

Business patcher here. I installed November updates Monday night. No issues reported. Just deployed a script to check these two events in the System log:

Microsoft-Windows-Kerberos-Key-Distribution-Center – 14 – Error
Kdcsvc – 42 – Error

No reports coming back. In fact, on one DC that I checked, Kdcsvc isn’t even registered as an Event Source. I wondered if they meant KdsSvc.

What I’m unclear on, even if there were issues, would installing the applicable out-of-band updates fix the issues, or do I have to go through all the steps and scripts in those two DirTeam articles to mitigate manually?

[Insert another gripe about frequent OOB updates and long mitigation articles. How is one supposed to manage a few small servers in this break-now-fix-later environment? Synology? Azure?]

 

Coming back to this. I may have figured it out for  my case.

I discovered that if you run Wireshark on the server, you can filter on “dcom” and see the Auth level requested and in use. I’ve added AuthenticationHint and Auth level as columns (isystemactivator.properties,scmresp.authhint and dcercp.authlevel, respectively). Here we see “Packet integrity” is in use, but only on the initial connection (in the RemoteCreateInstance requests and responses):

Per this reference that AuthenticationHint=2 corresponds to RPC_C_AUTHN_LEVEL_CONNECT. So I’m requesting Connect and getting Packet Integrity, but only during the initial connection.

After increasing my DCOM proxy on the client to specify Packet Integrity, the AuthenticationHint increases to 5 (RPC_C_AUTHN_LEVEL_PKT_INTEGRITY). More importantly, all the packets carry that Auth level = Packet integrity. So that is apparently what Packet integrity means, that every single packet has authentication info.

The thing that still seems odd to me is that even with the server set to enforce RequireIntegrityActivationAuthenticationLevel, it still wasn’t complaining (raising errors) when Auth level was set to Connect–maybe because that connection uses Packet integrity? I guess I could try setting the Authentication level to None to see if it would fail.

Okay Robert, gold star for you! Poking around in the client registry, I found

HKLM\SOFTWARE\Microsoft\Windows Server\Networking\ServerDiscovery\SkipAutoDNSServerDetection

With that name, I was able to backtrack to

https://support.microsoft.com/en-us/topic/update-rollup-3-for-windows-server-2012-essentials-7e71b958-0b1c-25ba-7f60-4213a51186b1

also archived as KB2862551:

https://mskb.pkisolutions.com/kb/2862551

which talks about disabling DNS detection for a single client or at the server level for all clients (HKLM\SOFTWARE\Microsoft\Windows Server\Networking\ClientDns\SkipAutoDnsConfig).

That article is about Rollup 3 for Essentials 2012. It’s not clear if that will work on 2016. The server key isn’t there on 2016. But I don’t see it on a 2012R2 Essentials box either.

This thread suggests that the registry “hacks” work on 2016 but only if you uninstall and reinstall the connector:

https://social.technet.microsoft.com/Forums/en-US/3f499dc7-182a-43b6-8f18-3feff862dc6d/windows-server-2016-essentials-overwriting-dns-servers?forum=winserveressentials

Well it’s worth a try!

Thanks everyone for your thoughts and suggestions.

 

Robert,

Thanks very much for chiming in.

Robert wrote:

Wasn’t there a registry key you could set to stop it doing that?

Would love for it to be that simple!

Robert wrote:

As I’m writing I’m remembering something about that needing to be set at connector install time.

I don’t recall seeing any related options in the setup wizard.

Robert wrote:

What do you mean it doesn’t always work setting it back to DHCP? That the service kicks in and sets it back to static?

The other way around:  it’s already static because you’re on site, but when you leave the LAN, it doesn’t revert to DHCP; it’s stuck on static. Which prevents the user from resolving anything on the Internet. So the service should detect that it’s off the LAN (maybe a failed ping to the IP of the server?), but it doesn’t.

Robert wrote:

Remind me, is there a service called WSS LAN Configuration on the client?

Not that I see. You mention the Windows Server LAN Configuration Service at the end of this article, but I guess that’s for 2012 R2 Essentials only?

https://windowspoweressentials.com/2013/06/17/unravelling-the-mystery-of-client-dns-with-essentials-family-servers/

 

I see this in one of the connected desktop’s ClientOperator.log:

[7912] 220808.212521.1989: ClientSetup: NetGetJoinInformation (server = [], …)

If I have time, I might try to take a laptop off site and check the logs for errors.

I posted on server-essentials.com about a week ago. The post showed awaiting moderation for a few days, then disappeared. Is that forum still active?

Thanks. Yeah workgroup mode might make it leave DNS alone in the NIC, but I do use the domain for Group Policy etc. so I want the laptop on the domain.

Re. remote updates, when you manage critical systems far away, employ remote power control. WattBox has saved my bacon on more than one occasion. Sometimes it’s the Windows box running the PBX software that fails to reboot. Sometimes a long power outage throws off the whole network because modem, router, and switches don’t come back up in a nice sequence. A tech might make a change to a switch that takes the whole switch offline. As long as the startup config isn’t saved, a reboot can fix it. And so on.

Of course, things, or you, can still mess up in ways that power won’t fix. And there are more options, like out-of-band failover routers that connect to the cellular network and give you serial port access to equipment. But I’ve found that the remote power cycle covers most issues.

For smaller, less-critical systems like a desktop, the inexpensive TP-Link Kasa outlets could work. Not as reliable, but at four for $25, it could give you more time for weekend baking.

@EricB, thanks for the suggestion. Interesting that you found your app using packet privacy in spite of the Connect specification.

Mine is a VB6 app, so getting down to those low-level functions would not be easy. It’s set up as a COM+ proxy, with DCOM configured as described in (archived) KB268550. I found KB926098 about tracing COM, but it requires Microsoft support to interpret the etl files.

I tried raising the auth level on the server to Packet Integrity and re-exporting the proxy. Once I uninstalled the old proxy on the client, I was able to install the new with with Auth Level = Packet Integrity. My app can still read and write records, so at least in an initial test, it’s unaffected by Packet Integrity. Whether there are issues with larger recordsets etc. remains to be seen.

I still don’t understand why I’m not seeing event log errors with Packet Integrity turned off!

Susan,

Thanks for the heads-up/reminder. I use COM in a custom program I developed so I wanted to test this.

The server is 2012R2, so per this article, I need patch KB5006714. I can see that my update history but oddly it’s not in the WMI list of applied hotfixes. Maybe it was superseded? I do see the 2022-06 rollup KB5014738 as installed.

My program uses Connect level authentication but even with hardening explicitly enabled in the server’s registry, I can’t get it to fail or create event log warnings.

Is there a test app, or a known failing app, that will confirm the hardening is working?

Susan, thanks for this. Motivated by your CSO Online post, as a start, I’m setting up a group policy to

Block Office applications from creating child processes D4F940AB-401B-4EFC-AADC-AD5F3C50688A
Block Office applications from creating executable content 3B576869-A4EC-4529-8536-B80A7769E899
Block Office applications from injecting into other processes 75668C1F-73B5-4CF0-BB93-3ECF5CB7CC84

It’s hard for me to imagine a scenario in which any of these would ever be a good thing. I guess maybe if a customer were using custom Office scripts but 99% of small businesses won’t even know that is possible.

As usual, this is a vast subject covered by half a dozen Microsoft articles. The most helpful, succinct resource is this test bed:  https://demo.wd.microsoft.com/Page/ASR. Too bad that’s going away in four days. Download the samples now! I was able to successfully test that child process creation is blocked.

BTW your video talks about looking for 1122 events in Microsoft-Windows-Security-Mitigations/KernelMode. From this article, that log may have other relevant events (2-23, 260), but the 1121 and 1122 events are in Microsoft-Windows-Windows Defender/Operational or Microsoft-Windows-Windows Defender/WHC. My test threw 1121:

Log Name: Microsoft-Windows-Windows Defender/Operational
Source: Microsoft-Windows-Windows Defender
Date: 6/11/2022 8:59:40 AM
Event ID: 1121
Task Category: None
Level: Warning
User: SYSTEM
Description:
Microsoft Defender Exploit Guard has blocked an operation that is not allowed by your IT administrator.
For more information please contact your IT administrator.
ID: D4F940AB-401B-4EFC-AADC-AD5F3C50688A
Detection time: 2022-06-11T15:59:40.180Z
User: (unknown user)
Path: \\SERVER\Reference\TestFile_Block_Office_applications_from_creating_executable_content_3B576869-A4EC-4529-8536-B80A7769E899.docm
Process Name: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
Target Commandline: 
Parent Commandline: "C:\Program Files (x86)\Microsoft Office\Root\Office16\WINWORD.EXE" /n "M:\Reference\IT Admin\2022.06 - Windows Defender Attack Surface Reduction\TestFile_Block_Office_applications_from_creating_executable_content_3B576869-A4EC-4529-8536-B80A7769E899.docm" /o ""
Involved File: 
Inheritance Flags: 0x00000000
Security intelligence Version: 1.367.1391.0
Engine Version: 1.1.19200.6
Product Version: 4.18.2203.5