MS15-096: Vulnerability in Active Directory service could allow denial of service: September 8, 2015

Taikoma: Windows Server 2012 R2 DatacenterWindows Server 2012 R2 StandardWindows Server 2012 R2 Essentials


This security update resolves a vulnerability in Active Directory Domain Services (AD DS). The vulnerability could allow denial of service if an authenticated attacker creates multiple computer accounts. To exploit this vulnerability an attacker must have valid credentials.

This security update prevents non-administrators from changing the account type on existing user and computer accounts. After you install this security update, you cannot change flags in the UserAccountControl registry entry in order to change the account type. The most frequently affected operation occurs when applications interactively or programmatically create objects in Active Directory as user accounts and then convert them to computer accounts, or vice-versa, by changing the UserAccountControl value. One mitigation is to create user or computer objects that have the intended UserAccountControl value when the object is created. For example, objects that are intended to be computer accounts should have a UserAccountControl value that contains WORKSTATION_TRUST_ACCOUNT during object creation.

The security update also prevents a computer account from creating additional computer accounts in a different domain by using the SeMachineAccountPrivilege computer account privilege. If such a scenario is required, administrators may grant explicit permissions to the cross-domain computer account on the container where the computer accounts have to be created.

To learn more about the vulnerability, see Microsoft Security Bulletin MS15-096.

More Information

  • All future security and nonsecurity updates for Windows Server 2012 R2 require update 2919355 to be installed. We recommend that you install update 2919355 on your Windows Server 2012 R2-based computer so that you receive future updates.
  • If you install a language pack after you install this update, you must reinstall this update. Therefore, we recommend that you install any language packs that you need before you install this update. For more information, see Add language packs to Windows.

How to obtain and install the update

Method 1: Windows Update

This update is available through Windows Update. When you turn on automatic updating, this update will be downloaded and installed automatically. For more information about how to turn on automatic updating, see
Stay up-to-date for more secure web browsing.

More Information