With this security update installed, instead of user’s security context, Windows group policy clients will now force local system’s security context, therefore forcing Kerberos authentication Q4) We already have the security update MS15-011 & MS15-014 installed which hardens the UNC paths for SYSVOL & NETLOGON & have the following registry keys being pushed using group policy: Should the UNC Hardening security update with the above registry settings not take care of this vulnerability when processing group policy from the SYSVOL? UNC Hardening alone will not protect against this vulnerability.
This post was written to provide guidance and answer questions needed by administrators to deploy the newly released security update, MS16-072 that addresses a vulnerability.The vulnerability could allow elevation of privilege if an attacker launches a man-in-the-middle (Mi TM) attack against the traffic passing between a domain controller and the target machine on domain-joined Windows computers.Notice that no other user or group is included to have “Read” or “Apply Group Policy” permissions other than the default Domain Admins and Enterprise Admins.These groups do not have “Apply Group Policy” by default so the GPO would not apply to the users of these groups & apply only to user “MSFT Ajay” What will happen if there are Group Policy Objects (GPOs) in an Active Directory domain that are using security filtering as discussed in the example scenario above?A5) Nothing will change in regard to how Computer Group Policy retrieval and processing works Q6) We are using security filtering for user objects and after installing the update, group policy processing is not working anymore A6) As noted above, the security update changes the way user group policy settings are retrieved.
The reason for group policy processing failing after the update is installed is because you may have removed the default “Authenticated Users” group from the Group Policy Object (GPO).
Select and Deploy GPOs again: Note: To modify permissions on multiple AGPM-managed GPOs, use shift click or ctrl click to select multiple GPO’s at a time then deploy them in a single operation. The targeted GPO now have the new permissions when viewed in AD: Below are some Frequently asked Questions we have seen: Q1) Do I need to install the fix on only client OS? A1) It is recommended you patch Windows and Windows Server computers which are running Windows Vista, Windows Server 2008 and newer Operating Systems (OS), regardless of SKU or role, in your entire domain environment.
These updates only change behavior from a client (as in “client-server distributed system architecture”) standpoint, but all computers in a domain are “clients” to SYSVOL and Group Policy; even the Domain Controllers (DCs) themselves Q2) Do I need to enable any registry settings to enable the security update?
A2) No, this security update will be enabled when you install the MS16-072 security update, however you need to check the permissions on your Group Policy Objects (GPOs) as explained above Q3) What will change in regard to how group policy processing works after the security update is installed?
A3) To retrieve user policy, the connection to the Windows domain controller (DC) prior to the installation of MS16-072 is done under the user’s security context.
Symptoms when you have security filtering Group Policy Objects (GPOs) like the above example and you install the security update MS16-072: Simply adding the “Authenticated Users” group with the “Read” permissions on the Group Policy Objects (GPOs) should be sufficient.