Summary

CVE-2021-42278 addresses a security bypass vulnerability that allows potential attackers to impersonate a domain controller using computer account sAMAccountName spoofing.

This article provides additional details and a frequently asked questions section for the Active Directory Security Accounts Manager (SAM) hardening changes made by Windows updates released on November 9, 2021 and later as documented in CVE-2021-42278.

Active Directory validation checks

After installing CVE-2021-42278, Active Directory will perform the validation inspections listed below on the sAMAccountName and UserAccountControl attributes of computer accounts created or modified by users who do not have administrator rights for machine accounts. 

  1. sAMAccountType validation for user and computer accounts

    • ObjectClass=Computer (or subclass of computer) accounts must have UserAccountControl flags of UF_WORKSTATION_TRUST_ACCOUNT or UF_SERVER_TRUST_ACCOUNT

    • ObjectClass=User must have UAC flags of UF_NORMAL_ACCOUNT or UF_INTERDOMAIN_TRUST_ACCOUNT

  2. sAMAccountName validation for computer accounts

    The sAMAccountName of a computer account whose UserAccountControl attribute contains the UF_WORKSTATION_TRUST_ACCOUNT flag must end with a single dollar sign ($). When these conditions are not met, Active Directory returns the failure code 0x523 ERROR_INVALID_ACCOUNTNAME. Failed validations are logged in the Directory-Services-SAM event ID 16991 in the System event log.

When these conditions are not met, Active Directory returns a failure code of ACCESS_DENIED. Failed validations are logged in the Directory-Services-SAM event ID 16990 in the System event log.

Auditing events

Object class and UserAccountControl validation failure

When Object class and UserAccountControl validation fails, the following event will be logged in the System log:

Event Log

System

Event Type

Error

Event Source

Directory-Services-SAM

Event ID

16990

Event Text

The security account manager blocked a non-administrator from creating an Active Directory account in this domain with mismatched objectClass and userAccountControl account type flags.

Details:

Account name: %1%n

Account objectClass: %2%n

userAccountControl: %3%n

Caller address: %4%n

Caller SID: %5%n%n

SAM Account Name validation failure

When SAM Account Name validation fails, the following event will be logged in the System log:

Event Log

System

Event Type

Error

Event Source

Directory-Services-SAM

Event ID

16991

Event Text

The security account manager blocked a non-administrator from creating or renaming a computer account using an invalid sAMAccountName. sAMAccountName on computer accounts must end with a single trailing $ sign.

Attempted sAMAccountName: %1

Recommended sAMAccountName: %1$

Successful computer account creation auditing events

The following existing auditing events are available for successful computer account creation:

  • 4741(S): A computer account was created

  • 4742(S): A computer account was changed

  • 4743(S): A computer account was deleted

For more information, see Audit Computer Account Management.

Frequently asked questions

Q1. How does this update affect existing objects in Active Directory?

A1. For existing objects, the validation occurs when users who do not have administrator rights modify the sAMAccountName or UserAccountControl attributes.

Q2. What is a sAMAccountName?

A2. sAMAccountName is a unique attribute on all security principals in Active Directory and includes users, groups, and computers. The name constraints for sAMAccountName are documented in 3.1.1.6 Attribute Constraints for Originating Updates.

Q3. What is a sAMAccountType?

A3. For more information, please read the following documents:

There are three possible sAMAccountType values that correspond to four possible UserAccountcontrol flags as follows:

userAccountControl

sAMAccountType

UF_NORMAL_ACCOUNT

SAM_USER_OBJECT

UF_INTERDOMAIN_TRUST_ACCOUNT

SAM_TRUST_ACCOUNT

UF_WORKSTATION_TRUST_ACCOUNT

SAM_MACHINE_ACCOUNT

UF_SERVER_TRUST_ACCOUNT

SAM_MACHINE_ACCOUNT

Q4. What are the possible values for UserAccountControl?

A4. For more information, please read the following documents:

Q5. How can I find non-compliant objects that already exist in my environment?

A5. Administrators can search their directory for existing non-compliant accounts using a PowerShell script like the examples below.

To find computer accounts that have a non-compliant sAMAccountName:

Get-ADComputer -LDAPFilter "(samAccountName=*)" |? SamAccountName -NotLike "*$" | select DNSHostName, Name, SamAccountName

To find computer accounts that have a non-compliant UserAccountControl sAMAccountType:

Get-ADComputer -LDAPFilter "UserAccountControl:1.2.840.113556.1.4.803:=512”

Resources

Need more help?

Expand your skills
Explore Training
Get new features first
Join Microsoft Insiders

Was this information helpful?

What affected your experience?

Thank you for your feedback!

×