|
IMPORTANT The date for Enforcement mode as previously noted in this article has changed to March 9, 2021. |
Summary
If you use Protected Users and Resource-Based Constrained Delegation (RBCD), a security vulnerability may exist on Active Directory domain controllers. To learn more about the security vulnerability, see CVE-2020-16996.
|
Take Action To protect your environment and prevent outages, you must do the following:
|
Timing of updates
These Windows updates will be released in two phases:
-
The initial deployment phase for Windows updates released on or after December 8, 2020.
-
The enforcement phase for Windows updates released on or after March 9, 2021.
December 8, 2020: Initial Deployment Phase
The initial deployment phase starts with the Windows update released on December 8, 2020 and continues with a later Windows update for the Enforcement phase. These and later Windows updates make changes to Kerberos.
This release:
-
Addresses CVE-2020-16996 (disabled by default).
-
Adds support for the NonForwardableDelegation registry value to enable protection on Active Directory domain controller servers. By default, the value does not exist.
Mitigation consists of the installation of the Windows updates on all devices that host the Active Directory domain controller role and read-only domain controllers (RODCs), and then enabling Enforcement mode.
March 9, 2021: Enforcement Phase
The March 9, 2021 release transitions into the enforcement phase. Enforcement phase enforces the changes to address CVE-2020-16996. Active Directory domain controllers will now be in Enforcement mode unless the enforcement mode registry key is set to 1 (Disabled). If the Enforcement mode registry key is set, the setting will be honored. Going to Enforcement mode requires that all Active Directory domain controllers have the December 8, 2020 update or a later update installed.
Installation guidance
Before installing this update
You must have the following required updates installed before you apply this update. If you use Windows Update, these required updates will be offered automatically as needed.
-
You must have the SHA-2 update (KB4474419) that is dated September 23, 2019 or a later SHA-2 update installed and then restart your device before you apply this update. For more information about SHA-2 updates, see 2019 SHA-2 Code Signing Support requirement for Windows and WSUS.
-
For Windows Server 2008 R2 SP1, you must have installed the servicing stack update (SSU) (KB4490628) that is dated March 12, 2019. After update KB4490628 is installed, we recommend that you install the latest SSU update. For more information about the latest SSU update, see ADV990001 | Latest Servicing Stack Updates.
-
For Windows Server 2008 SP2, you must have installed the servicing stack update (SSU) (KB4493730) that is dated April 9, 2019. After update KB4493730 is installed, we recommend that you install the latest SSU update. For more information about the latest SSU updates, see ADV990001 | Latest Servicing Stack Updates.
-
Customers are required to purchase the Extended Security Update (ESU) for on-premises versions of Windows Server 2008 SP2 or Windows Server 2008 R2 SP1 after extended support ended on January 14, 2020. Customers who have purchased the ESU must follow the procedures in KB4522133 to continue receiving security updates. For more information on ESU and which editions are supported, see KB4497181.
Important You must restart your device after you install these required updates.
Install the update
To resolve the security vulnerability, install the Windows updates and enable Enforcement mode by following these steps.
|
Warning Intermittent authentication problems may occur if these Windows updates and the registry value are applied inconsistently in one or both of the following scenarios:
Important Both Windows updates and the registry value must be applied consistently on ALL Active Directory domain controllers in your environment. |
Step 1: Install the Windows update
Install the December 8, 2020 Windows update or a later Windows update to all devices that host the Active Directory domain controller role in the forest, including read-only domain controllers.
|
Windows Server product |
KB # |
Type of update |
|
Windows Server, version 20H2 (Server Core Installation) |
Security Update |
|
|
Windows Server, version 2004 (Server Core installation) |
Security Update |
|
|
Windows Server, version 1909 (Server Core installation) |
Security Update |
|
|
Windows Server, version 1903 (Server Core installation) |
Security Update |
|
|
Windows Server 2019 (Server Core installation) |
Security Update |
|
|
Windows Server 2019 |
Security Update |
|
|
Windows Server 2016 (Server Core installation) |
Security Update |
|
|
Windows Server 2016 |
Security Update |
|
|
Windows Server 2012 R2 (Server Core installation) |
Monthly Rollup |
|
|
Security Only |
||
|
Windows Server 2012 R2 |
Monthly Rollup |
|
|
Security Only |
||
|
Windows Server 2012 (Server Core installation) |
Monthly Rollup |
|
|
Security Only |
||
|
Windows Server 2012 |
Monthly Rollup |
|
|
Security Only |
||
|
Windows Server 2008 R2 Service Pack 1 |
Monthly Rollup |
|
|
Security Only |
||
|
Windows Server 2008 Service Pack 2 |
Monthly Rollup |
|
|
Security Only |
Step 2: Enable Enforcement mode
After all devices that host the Active Directory domain controller role have been updated, wait at least a full day to allow all outstanding Service for User to Self (S4U2self) Kerberos service tickets to expire. Then, enable full protection by deploying Enforcement mode. To do this, enable the Enforcement mode registry key.
Warning Serious problems might occur if you modify the registry incorrectly by using Registry Editor or by using another method. These problems might require that you reinstall the operating system. Microsoft cannot guarantee that these problems can be solved. Modify the registry at your own risk.
Note This registry value is not created by installing this update. You must add this registry value manually.
|
Registry subkey |
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Kdc |
|
Value |
NonForwardableDelegation |
|
Data type |
REG_DWORD |
|
Data |
1: Disables enforcement mode. 0: Enables enforcement mode. This is the protected state. |
|
Default |
1 |
|
Is a Restart required? |
No |
Notes about the " NonForwardableDelegation" registry value:
-
If the registry value is set, it will take precedence over the Enforcement mode setting included in the March 9, 2021 Windows updates.
-
If the registry value is set to 1 (Disable), forwarding will be allowed on Kerberos service tickets that are NOT marked as forwardable.
-
If the registry value is set to 0 (Enable), forwarding will NOT be allowed on Kerberos service tickets that are NOT marked as forwardable.
-
-
If your domain includes Windows Server 2008 R2 or earlier Active Directory domain controllers, you do not have to set Enforcement mode because these domain controllers do not support RBCD.
-
Failure to consistently update all Active Directory domain controllers when enabling Enforcement mode will result in intermittent service delegation failures.
-
Before setting Enforcement mode:
-
All Active Directory domain controllers must be updated with the December 8, 2020 Windows update or a later Windows update, and
-
All outstanding S4USelf Kerberos service tickets must have expired by waiting a day after completing the Windows update deployment to all Active Directory domain controllers.
-
Additional considerations
When this protection if enabled, it unifies the logic for Resource-Based Constrained Delegation (RBCD) with the original constrained delegation. This can cause issues in the two following scenarios:
-
A single service simultaneously uses original Kerberos Constrained Delegation (KCD) without protocol transition to one target while it is using RBCD with protocol transition to another. After this change, the denial of protocol transition will apply to both styles of delegation.
-
RBCD is used in a domain that uses domain controllers that are not updated with CVE-2020-16996 or running older versions of Windows Server (older than Window Server 2012) that do not have an available update for CVE-2020-16996. The Key Distribution Centers (KDCs) that are not updated will not flag S4USelf Kerberos service tickets as okay for delegation and protocol transition will be denied.
