Important: The release dates previously indicated in this article have changed. Please note the new release dates in the "Take Action" and "Timing of these Windows updates" sections.
Summary
A security feature bypass vulnerability exists in the way the Key Distribution Center (KDC) determines whether a Kerberos service ticket can be used for delegation through Kerberos Constrained Delegation (KCD). To exploit the vulnerability, a compromised service that is configured to use KCD could tamper with a Kerberos service ticket that is not valid for delegation to force the KDC to accept it. These Windows updates address this vulnerability by changing how the KDC validates Kerberos service tickets used with KCD.
To learn more about this vulnerability, see CVE-2020-17049.
Take Action To protect your environment and prevent outages, you must follow all of these steps:
|
Timing of these Windows updates
These Windows updates will be released in three phases:
-
The initial deployment phase for Windows updates released on or after December 8, 2020.
-
A second deployment phase that removes PerformTicketSignature setting 0 and requires either setting 1 or 2, on or after April 13, 2021.
-
The Enforcement phase for Windows updates released on or after July 13, 2021.
December 8, 2020: Initial Deployment Phase
The initial deployment phase starts with the Windows update released on December 8, 2020 and continues with a later Windows update for the Enforcement phase. These and later Windows updates make changes to Kerberos. This December 8, 2020 update includes fixes for all known issues originally introduced by the November 10, 2020 release of CVE-2020-17049. This update also adds support for Windows Server 2008 SP2 and Windows Server 2008 R2.
This release:
-
Addresses CVE-2020-17049 (in Deployment mode by default).
-
Adds support for the PerformTicketSignature registry value to enable protection on Active Directory domain controller servers. By default, this value does not exist.
Mitigation consists of the installation of the Windows updates on all devices that host the Active Directory domain controller role and read-only domain controllers (RODCs), and then enabling Enforcement mode.
April 13, 2021: Second Deployment Phase
The second deployment phase starts with the Windows update released on April 13, 2021. This phase removes the PerformTicketSignature setting 0. Setting PerformTicketSignature to 0 after this update is installed will have the same effect as setting PerformTicketSignature to 1. The DCs will be in Deployment mode.
Notes
-
This phase is not necessary if PerformTicketSignature was never set to 0 in your environment. This phase helps to make sure that customers that set PerformTicketSignature to 0 are moved to setting 1 before the Enforcement phase.
-
With the deployment of the April 13, 2021 updates, setting PerformTicketSignature to 1 will enable service tickets to be renewable. This is a change in behavior from pre-April 2021 Windows Updates when setting PerformTicketSignature to 1 which caused service tickets not to be renewable.
-
This update assumes that all Domain Controllers are updated with the December 8, 2020 updates or later updates.
-
After installing this update, and manually or programmatically setting PerformTicketSignature to 1 or higher, unsupported Windows Server domain controllers will no longer work with supported domain controllers. This includes Windows Server 2008 and Windows Server 2008 R2 without Extended Security Updates (ESU), and Windows Server 2003.
July 13, 2021: Enforcement Phase
The July 13, 2021 release transitions into the enforcement phase. Enforcement phase enforces the changes to address CVE-2020-17049. Active Directory domain controllers are now capable of Enforcement mode. Going to Enforcement mode requires that all Active Directory domain controllers have the December 8, 2020 update or a later Windows update installed. At this time, the PerformTicketSignature registry key settings will be ignored and Enforcement mode cannot be overridden.
Installation guidance
Before installing this update
You must have the following required updates installed before you apply this update. If you use Windows Update, these required updates will be offered automatically as needed.
-
You must have the SHA-2 update (KB4474419) that is dated September 23, 2019 or a later SHA-2 update installed and then restart your device before you apply this update. For more information about SHA-2 updates, see 2019 SHA-2 Code Signing Support requirement for Windows and WSUS.
-
For Windows Server 2008 R2 SP1, you must have installed the servicing stack update (SSU) (KB4490628) that is dated March 12, 2019. After update KB4490628 is installed, we recommend that you install the latest SSU update. For more information about the latest SSU update, see ADV990001 | Latest Servicing Stack Updates.
-
For Windows Server 2008 SP2, you must have installed the servicing stack update (SSU) (KB4493730) that is dated April 9, 2019. After update KB4493730 is installed, we recommend that you install the latest SSU update. For more information about the latest SSU updates, see ADV990001 | Latest Servicing Stack Updates.
-
Customers are required to purchase the Extended Security Update (ESU) for on-premises versions of Windows Server 2008 SP2 or Windows Server 2008 R2 SP1 after extended support ended on January 14, 2020. Customers who have purchased the ESU must follow the procedures in KB4522133 to continue receiving security updates. For more information on ESU and which editions are supported, see KB4497181.
Important You must restart your device after you install these required updates.
Install all updates
To resolve the security vulnerability, install all Windows updates and enable Enforcement mode by following these steps:
-
Deploy at least one of the updates from between December 8, 2020 and March 9, 2021 to all Active Directory domain controllers in the forest.
-
Deploy the April 12, 2021 update at least one or more weeks after step 1.
-
After all Active Directory domain controllers have been updated, wait at least a full week to allow all outstanding Service for User to Self (S4U2self) Kerberos service tickets to expire and then full protection can be enabled by deploying Active Directory domain controller Enforcement mode.
Notes-
If you have modified the Kerberos service ticket expiration times from the default settings (default is 7 days), then you must wait at least the number of days as configured in your environment.
-
These steps assume that PerformTicketSignature has never been set to 0 in your environment. If PerformTicketSignature was set to 0, you must move to setting 1 before moving to setting 2 (Enforcement mode) and wait at least a week to allow all outstanding Service for User to Self (S4U2self) Kerberos service tickets to expire. You should not move directly from setting 0 to setting 2 (Enforcement mode).
-
Step 1: Install Windows updates
Install the appropriate December 8, 2020 Windows update or a later Windows update to all devices that host the Active Directory domain controller role in the forest, including read-only domain controllers.
Windows Server product |
KB # |
Type of update |
Windows Server, version 20H2 (Server Core Installation) |
Security Update |
|
Windows Server, version 2004 (Server Core installation) |
Security Update |
|
Windows Server, version 1909 (Server Core installation) |
Security Update |
|
Windows Server, version 1903 (Server Core installation) |
Security Update |
|
Windows Server 2019 (Server Core installation) |
Security Update |
|
Windows Server 2019 |
Security Update |
|
Windows Server 2016 (Server Core installation) |
Security Update |
|
Windows Server 2016 |
Security Update |
|
Windows Server 2012 R2 (Server Core installation) |
Monthly Rollup |
|
Security Only |
||
Windows Server 2012 R2 |
Monthly Rollup |
|
Security Only |
||
Windows Server 2012 (Server Core installation) |
Monthly Rollup |
|
Security Only |
||
Windows Server 2012 |
Monthly Rollup |
|
Security Only |
||
Windows Server 2008 R2 Service Pack 1 |
Monthly Rollup |
|
Security Only |
||
Windows Server 2008 Service Pack 2 |
Monthly Rollup |
|
Security Only |
Step 2: Enable Enforcement mode
After all devices that host the Active Directory domain controller role have been updated, wait at least a full week to allow all outstanding S4U2self Kerberos service tickets to expire. Then, enable full protection by deploying Enforcement mode. To do this, enable the Enforcement mode registry key.
Warning Serious problems might occur if you modify the registry incorrectly by using Registry Editor or by using another method. These problems might require that you reinstall the operating system. Microsoft cannot guarantee that these problems can be solved. Modify the registry at your own risk.
Note This update introduces support for the following registry value to enable Enforcement mode. This registry value is not created by installing this update. You must add this registry value manually.
Registry subkey |
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Kdc |
Value |
PerformTicketSignature |
Data type |
REG_DWORD |
Data |
1: Enables Deployment mode. The fix is enabled on the domain controller, but the Active Directory domain controller does not require that Kerberos service tickets conform to the fix. This mode adds support for ticket signatures on CVE-2020-17049 updated domain controllers but the domain controllers do not require tickets to be signed. This allows a mix of Initial Deployment Phase (DCs updated to the December initial Deployment update) and updated domain controllers to coexist. With all domain controllers updated and at setting 1, all new tickets will be signed. In this mode, new tickets will be marked as renewable. 2: Enables Enforcement mode This enables the fix in required mode where all domains must be updated and all Active Directory domain controllers require Kerberos service tickets with signatures. With this setting, all tickets must be signed in order to be considered valid. In this mode, tickets will again be marked as renewable. 0: Not recommended. Disables Kerberos service tickets signatures, and your domains are not protected. Important: Setting 0 is not compatible with enforcement setting 2. Intermittent authentication failures might occur if Enforcement mode is applied later stage while domain are set to 0. We recommend customers to move to setting 1 before the enforcement stage (At least a week before applying enforcement). |
Default |
1 (when registry key is not set) |
Is a Restart required? |
No |