Applies ToWindows Server 2022 Windows Server 2019 Windows Server 2016, all editions Windows Server 2012 R2 Windows Server 2012 Windows Server 2008 R2 Windows Server 2008 Service Pack 2

Summary

CVE-2021-42278 addresses a security bypass vulnerability that allows potential attackers to impersonate a domain controller using computer account sAMAccountName spoofing.

This article provides additional details and a frequently asked questions section for the Active Directory Security Accounts Manager (SAM) hardening changes made by Windows updates released on November 9, 2021 and later as documented in CVE-2021-42278.

Active Directory validation checks

After installing CVE-2021-42278, Active Directory will perform the validation inspections listed below on the sAMAccountName and UserAccountControl attributes of computer accounts created or modified by users who do not have administrator rights for machine accounts. 

  1. sAMAccountType validation for user and computer accounts

    • ObjectClass=Computer (or subclass of computer) accounts must have UserAccountControl flags of UF_WORKSTATION_TRUST_ACCOUNT or UF_SERVER_TRUST_ACCOUNT

    • ObjectClass=User must have UAC flags of UF_NORMAL_ACCOUNT or UF_INTERDOMAIN_TRUST_ACCOUNT

  2. sAMAccountName validation for computer accounts

    The sAMAccountName of a computer account whose UserAccountControl attribute contains the UF_WORKSTATION_TRUST_ACCOUNT flag must end with a single dollar sign ($). When these conditions are not met, Active Directory returns the failure code 0x523 ERROR_INVALID_ACCOUNTNAME. Failed validations are logged in the Directory-Services-SAM event ID 16991 in the System event log.

When these conditions are not met, Active Directory returns a failure code of ACCESS_DENIED. Failed validations are logged in the Directory-Services-SAM event ID 16990 in the System event log.

Auditing events

Object class and UserAccountControl validation failure

When Object class and UserAccountControl validation fails, the following event will be logged in the System log:

Event Log

System

Event Type

Error

Event Source

Directory-Services-SAM

Event ID

16990

Event Text

The security account manager blocked a non-administrator from creating an Active Directory account in this domain with mismatched objectClass and userAccountControl account type flags.

Details:

Account name: %1%n

Account objectClass: %2%n

userAccountControl: %3%n

Caller address: %4%n

Caller SID: %5%n%n

SAM Account Name validation failure

When SAM Account Name validation fails, the following event will be logged in the System log:

Event Log

System

Event Type

Error

Event Source

Directory-Services-SAM

Event ID

16991

Event Text

The security account manager blocked a non-administrator from creating or renaming a computer account using an invalid sAMAccountName. sAMAccountName on computer accounts must end with a single trailing $ sign.

Attempted sAMAccountName: %1

Recommended sAMAccountName: %1$

Successful computer account creation auditing events

The following existing auditing events are available for successful computer account creation:

  • 4741(S): A computer account was created

  • 4742(S): A computer account was changed

  • 4743(S): A computer account was deleted

For more information, see Audit Computer Account Management.

Frequently asked questions

Q1. How does this update affect existing objects in Active Directory?

A1. For existing objects, the validation occurs when users who do not have administrator rights modify the sAMAccountName or UserAccountControl attributes.

Q2. What is a sAMAccountName?

A2. sAMAccountName is a unique attribute on all security principals in Active Directory and includes users, groups, and computers. The name constraints for sAMAccountName are documented in 3.1.1.6 Attribute Constraints for Originating Updates.

Q3. What is a sAMAccountType?

A3. For more information, please read the following documents:

There are three possible sAMAccountType values that correspond to four possible UserAccountcontrol flags as follows:

userAccountControl

sAMAccountType

UF_NORMAL_ACCOUNT

SAM_USER_OBJECT

UF_INTERDOMAIN_TRUST_ACCOUNT

SAM_TRUST_ACCOUNT

UF_WORKSTATION_TRUST_ACCOUNT

SAM_MACHINE_ACCOUNT

UF_SERVER_TRUST_ACCOUNT

SAM_MACHINE_ACCOUNT

Q4. What are the possible values for UserAccountControl?

A4. For more information, please read the following documents:

Q5. How can I find non-compliant objects that already exist in my environment?

A5. Administrators can search their directory for existing non-compliant accounts using a PowerShell script like the examples below.

To find computer accounts that have a non-compliant sAMAccountName:

Get-ADComputer -LDAPFilter "(samAccountName=*)" |? SamAccountName -NotLike "*$" | select DNSHostName, Name, SamAccountName

To find computer accounts that have a non-compliant UserAccountControl sAMAccountType:

Get-ADComputer -LDAPFilter "UserAccountControl:1.2.840.113556.1.4.803:=512”

Resources

Facebook LinkedIn Email
SUBSCRIBE RSS FEEDS

Need more help?

Want more options?

Discover Community

Explore subscription benefits, browse training courses, learn how to secure your device, and more.

Microsoft 365 subscription benefits

Microsoft 365 training

Microsoft security

Accessibility center

Communities help you ask and answer questions, give feedback, and hear from experts with rich knowledge.

Ask the Microsoft Community

Microsoft Tech Community

Windows Insiders

Microsoft 365 Insiders