Several years ago I documented Windows updates that needed additional registry keys to be set before you are fully patched. These updates can be hard to keep track of. Microsoft recently released several more updates that need action on your part. The Microsoft Japanese security team documented several updates released in November 2021 that need more registry keys or actions taken to better protect Active Directory. These updates will ultimately be enforced, but in the meantime, these settings should be on your radar and tested for their impact.
Active Directory elevation of privilege vulnerability
The first patch addresses a security bypass vulnerability (CVE-2021-42278) that allows attackers to impersonate a domain controller by using computer account spoofing. Included in this update is increased validation inspections on the sAMAccountName
and UserAccountControl
attributes of computer accounts created or modified by users. It reviews for users who do not have administrator rights for machine accounts that should not be able to impersonate a domain controller.
After the update user and computer accounts are checked for the following:
ObjectClass=Computer (or subclass of computer) accounts must have UserAccountControl flags of UF_WORKSTATION_TRUST_ACCOUNT or UF_SERVER_TRUST_ACCOUNT
ObjectClass=User must have UAC flags of UF_NORMAL_ACCOUNT or UF_INTERDOMAIN_TRUST_ACCOUNT