MS15-011: Vulnerability in Group Policy could allow remote code execution: February 10, 2015

Summary

This security update resolves a privately reported vulnerability in Microsoft Windows. A remote code execution vulnerability exists in how Group Policy receives and applies connection data when a domain-joined system connects to a domain controller. An attacker who successfully exploited this vulnerability could take complete control of an affected system. An attacker could then install programs, could view, change, or delete data, or could create new accounts with full user rights. Users whose accounts are configured to have fewer user rights on the system could be less affected than users who operate with administrative user rights.

Introduction

Microsoft has released security bulletin MS15-011. To learn more about this security bulletin:

How to obtain help and support for this security update

Help installing updates:
Support for Microsoft Update

Security solutions for IT professionals:
TechNet Security Troubleshooting and Support

Help protect your Windows-based computer from viruses and malware:
Virus Solution and Security Center

Local support according to your country:
International Support

More Information

Note This security update includes some files that are in security update 3031432. Please review Knowledge Base article 3031432 for more information. This includes known issues.


Child package behavior

Customers who install this security update may face a known issue in which error 1108 is generated in the Security event log instead of the usual 4688 audit event. To address this issue, update 3004375 must be installed together with this update (update 3000483).

Note This issue was first encountered in security update 3023266 (MS15-001).

For Windows Server 2008 R2 and Windows Server 2012 customers

On Windows Server 2008 R2 and Windows Server 2012, update 3004375 is installed together with update 3000483.

For Windows Update, Windows Server Update Services (WSUS), and Microsoft Catalog customers

Update 3004375 is installed automatically and transparently together with security update 3000483. Update 3004375 will appear separately in the list of installed updates when it is viewed in the Add or Remove Programs item in Control Panel. Installing both packages together requires only one restart.

For Download Center customers

To address the known issue, if you download and then install this security update from the Microsoft Download Center for Windows Server 2008 R2 or Windows Server 2012, you should select both update 3000483 and update 3004375. You must install both of these updates to address the known issue.

Group Policy settings

This security update requires the following steps to be performed in order to protect against the vulnerability described in the bulletin (MS15-011). To enable this functionality, a system administrator must apply the following Group Policy settings in addition to installing security update 3000483.


The Group Policy service on domain-joined Windows-based computers automatically tries to download updated security policies from Universal Naming Convention (UNC) paths that begin with \\<Domain>\SYSVOL. It will run any scripts that are configured to run in the applicable Group Policy Objects (GPOs). Typically, these are stored in UNC paths that being with \\<Domain>\NETLOGON.

When applications make I/O requests that contain Uniform Naming Convention (UNC) paths, these requests are passed to the Multiple UNC Provider (MUP). The MUP selects a UNC provider to handle the I/O request and forwards the request to the selected UNC provider. The selected UNC provider handles the request and passes the results back to the application that issued the request.

If a malicious party can spoof, tamper with, or redirect communications between the UNC provider and the target server, the malicious party may be able to cause Group Policy to execute programs or scripts with malicious intent instead of or in addition to scripts that are selected by system administrators.

Microsoft is announcing the availability of UNC Hardened Access, a new feature on the Windows platform. To provide mitigations against this and related attacks, this feature improves the protection and handling of data when Windows-based computers access UNC paths.

When MUP receives an I/O request for a UNC path that is configured to require UNC Hardened Access, MUP will consider only UNC providers that support the security properties that are required according to the UNC Hardened Access configuration.

This Microsoft Knowledge Base article briefs system administrators on this new functionality and on how it can be deployed to help protect Windows systems.

Configuring UNC Hardened Access through Group Policy

The UNC Hardened Access feature enables specific servers or shares to be "tagged" with additional information to inform MUP and UNC providers of security requirements beyond the UNC provider’s defaults. In particular, the following three security properties are supported:
  • RequireMutualAuthentication=<0|1> – When this property is set to 1, the selected UNC provider requires that the UNC provider can authenticate the identity of the remote server (in addition to the server’s verification of the client’s identity) in order to block spoofing attacks.
  • RequireIntegrity=<0|1> – When this property is set to 1, MUP and the selected UNC provider must use integrity checks in order detect when third parties manipulate requests or responses while in transit between the client and server in order to block tampering attacks.
  • RequirePrivacy=<0|1> – When this property is set to 1, MUP and the selected UNC provider must use a form of encryption in such a way that when third parties see communication between the client and the server, they cannot see any sensitive information that is contained within the communication.
To enable UNC Hardened Access through Group Policy, follow these steps:
  1. Open Group Policy Management Console.
  2. In the console tree, in the forest and domain that contain the Group Policy object (GPO) that you want to create or edit, double-click Group Policy Objects.

    Forest name/Domains/<Domain name>
  3. (Optional) Right-click Group Policy Objects, and then click New.
  4. Type the desired name for the new GPO.
  5. Right-click the desired GPO, and then click Edit.
  6. In the Group Policy Object Editor console, browse to the following policy path:
    Computer Configuration/Administrative Templates/Network/Network Provider
  7. Right-click the Hardened UNC Paths setting, and then click Edit.
  8. Select the Enabled option button.
  9. In the Options pane, scroll down, and then click Show.
  10. Add one or more configuration entries. to do this, follow these steps:
    1. In the Value Name column, type the UNC path that you want to configure. The UNC path may be specified in one of the following forms:
      • \\<Server>\<Share> - The configuration entry applies to the share that has the specified name on the specified server.
      • \\*\<Share> - The configuration entry applies to the share that has the specified name on any server.
      • \\<Server>\* - The configuration entry applies to any share on the specified server.
      • \\<Server> - The same as \\<Server>\*
      Note A specific server or share name must be specified. All-wildcard paths such as \\* and \\*\* are not supported.
    2. In the Value column, type the name of the security property to configure (for example, type RequireMutualAuthentication, RequireIntegrity, or RequirePrivacy) followed by an equal sign (=) and the number 0 or 1.

      Note Multiple properties may be assigned for a single UNC path by separating each "<Property> = <Value>" pair by using a comma (,).
  11. Click OK two times, and then close the GPO editor.
  12. If you created a new GPO earlier, link the GPO to one or more domains. To do this, right-click the desired domain, click Link an Existing GPO, select the newly added GPO, and then click OK.
  13. To test the new or updated GPO, log on to a computer to which the GPO applies, and then run the following command:
    gpupdate /force

    Any configuration errors will reported in the following path in Event Viewer:
    Event Viewer\Applications and Services Logs\Microsoft\Windows\NetworkProvider\Operational

Advanced configuration examples

When more than a single configuration entry applies to an I/O request to a UNC path (for example, because of the use of wildcard entries), properties from the most specific UNC path take precedence.

For example, consider a system that has the following UNC Hardened Access configuration as applied through Group Policy:

Value nameValue
\\fileshare.contoso.com\*RequireMutualAuthentication=1, RequireIntegrity=1
\\fileshare.contoso.com\publicRequireIntegrity=0
\\fileshare.contoso.com\secretRequirePrivacy=1

In this scenario, all the properties that are specified for \\fileshare.contoso.com\* also apply to the "secret" share. However, the RequireIntegrity property on the "public" share would override the RequireIntegrity configuration for \\fileshare.contoso.com\*. Therefore, the effective UNC Hardening configuration for shares on fileshare.contoso.com that are named public, private, and secret would be as follows:

UNC pathEffective UNC Hardening configuration
\\fileshare.contoso.com\publicRequireMutualAuthentication=1, RequireIntegrity=0
\\fileshare.contoso.com\privateRequireMutualAuthentication=1, RequireIntegrity=1
\\fileshare.contoso.com\secretRequireMutualAuthentication=1, RequireIntegrity=1, RequirePrivacy=1

Server Message Block (SMB) implementation

Mutual authentication

SMB does not perform mutual authentication itself. Instead, it delegates the task to the negotiated Security Support Provider that is supported by Windows and the remote server. If the Security Support Provider indicates that mutual authentication between the client and the server was not successful, the SMB Client disallows access to paths on the server that are configured to require mutual authentication.

Note Mutual authentication in a default installation of Windows is available only when Active Directory domain credentials are used through Kerberos authentication. NTLM authentication does not support mutual authentication. Starting in Windows 7 and Windows Server 2008 R2, customers may install third-party SSPs that integrate with the NegoEx instead of using NTLM or Kerberos authentication.

Integrity

SMB makes sure of integrity when this is required by turning on SMB Signing for I/O requests to paths that are configured by using RequireIntegrity=1. Setting RequireIntegrity=0 on a path will not disable SMB Signing when the SMB client’s or the SMB server’s RequireSecuritySignatures configuration setting is enabled.

Note SMB v1 connections do not support enabling SMB signing on a per request basis. If the SMB Client already has an open connection to an SMB v1 server that has open files that does not require SMB signing, the client will be unable to access any shares on that server for which RequireIntegrity is set to 1 until all other handles to files on the same server are closed. Therefore, we recommend that any servers that do not support SMB v2 or a later version (for example, Windows Server 2003 R2 and earlier versions) have the SMB server configured to always require security signatures if the previously mentioned server is expected to host any shares for which clients will have RequireIntegrity=1 configured. For more information about how to configure SMB signing on the SMB server, see the following Microsoft Knowledge Base article:

Privacy

SMB makes sure of privacy when this is required by turning on SMB Encryption for I/O requests to paths that are configured by using RequirePrivacy=1. Setting RequirePrivacy=0 on a path will not disable SMB Encryption during share access when the SMB server is configured to require SMB Encryption for that share.

Note SMB Encryption is supported by the SMB client only on Windows 8, Windows Server 2012, and later versions, and then only when communicating with SMB Encryption-capable servers (such as Windows 8, Windows Server 2012 and later versions). If you configure RequirePrivacy=1 on clients that do not support SMB Encryption or for UNC paths hosted by servers that do not support SMB Encryption, you will have a configuration in which the SMB client will be unable to access the specified path.

Minimum recommended configuration for domain-joined computers

We recommend that all NETLOGON and SYSVOL shares be configured to require both mutual authentication and integrity in order to help secure Group Policy against spoofing and tampering attacks that can be leveraged to achieve remote code execution.

Hardened UNC paths
Value nameValue
\\*\NETLOGONRequireMutualAuthentication=1, RequireIntegrity=1
\\*\SYSVOLRequireMutualAuthentication=1, RequireIntegrity=1

Domain-joined computers applicability

This security update is offered through Windows Update only to domain-joined computers. DLC and WSUS customers should apply this security update only to domain-joined computers.

Windows Server 2003 SP2

We determined that implementing these changes in Windows Server 2003 SP2 would require such comprehensive architecture changes that it would destabilize the system and result in application compatibility problems. We continue to recommend that customers who are security-conscious upgrade to our latest operating systems to keep pace with security threats and benefit from robust, modern operating system protection.


Security update deployment information

More Information

Known issues with this security update

  • After you install this security update and then configure the hardening policies on a computer that is running Windows Vista or Windows Server 2008, you may receive an error message that resembles the following in the System log:


    Event ID: 1058
    Log Name: System
    Source: Microsoft-Windows-GroupPolicy
    Level: Error
    User: SYSTEM
    Description:
    The processing of Group Policy failed. Windows attempted to read the file \\<corp.domain.com>\SysVol\<corp.domain.com\Policies>\{<PolicyGUID>}\gpt.ini from a domain controller and was not successful. Group Policy settings may not be applied until this event is resolved. This issue may be transient and could be caused by one or more of the following:
    a) Name Resolution/Network Connectivity to the current domain controller.
    b) File Replication Service Latency (a file created on another domain controller has not replicated to the current domain controller).
    c) The Distributed File System (DFS) client has been disabled.

    You see the following EventData message on the Details tab:


    ErrorCode 5
    ErrorDescription Access is denied.



    Errors that resemble the following appear in the Microsoft-Windows-GroupPolicy/Operational log:


    Event ID: 7017
    Log Name: Microsoft-Windows-GroupPolicy/Operational
    Source: Microsoft-Windows-GroupPolicy
    Level: Error
    User: SYSTEM
    Detail:
    The system calls to access specified file completed.
    \\<corp.domain.com>\SysVol\<corp.domain.com\Policies>\{<PolicyGUID>}\gpt.ini
    The call failed after 140 milliseconds


    Event ID: 7000
    Log Name: Microsoft-Windows-GroupPolicy/Operational
    Source: Microsoft-Windows-GroupPolicy
    Level: Error
    User: SYSTEM
    Detail:
    Computer boot policy processing failed for CORP\< SERVERNAME$> in 2 seconds


    To resolve this issue, install the following update on affected Windows Vista-based and Windows Server 2008-based computers.
    2272153 It takes four minutes for a computer that is running Windows Vista or Windows Server 2008 to open a Microsoft Office 2003 document from a network share

File information

The English (United States) version of this software update installs files that have the attributes that are listed in the following tables. The dates and times for these files are listed in Coordinated Universal Time (UTC). The dates and times for these files on your local computer are displayed in your local time and with your current daylight saving time (DST) bias. Additionally, the dates and times may change when you perform certain operations on the files.

Windows Vista and Windows Server 2008 file information
Windows 7 and Windows Server 2008 R2 file information
Windows 8 and Windows Server 2012 file information
Windows 8.1 and Windows Server 2012 R2 file information
File hash information
Properties

Article ID: 3000483 - Last Review: Apr 15, 2015 - Revision: 1

Feedback