Summary

The July 13, 2021 Windows updates and later Windows updates add protections for CVE-2021-33757.

After installing the July 13, 2021 Windows updates or later Windows updates, Advanced Encryption Standard (AES) encryption will be the preferred method on Windows clients when using the legacy MS-SAMR protocol for password operations if AES encryption is supported by the SAM server. If AES encryption is not supported by the SAM server, fallback to the legacy RC4 encryption will be allowed.

Changes in CVE-20201-33757 are specific to the MS-SAMR protocol and are independent of other authentication protocols. MS-SAMR uses SMB over RPC and named pipes. Although SMB also supports encryption, it is not enabled by default. By default, the changes in CVE-20201-33757 are enabled and provide additional security at the SAM layer. No additional configuration changes are required beyond installing protections for CVE-20201-33757 included in the July 13, 2021 Windows updates or later Windows updates on all supported versions of Windows. Unsupported versions of Windows should be discontinued or upgraded to a supported version.

Note CVE-2021-33757 only modifies how passwords are encrypted in-transit when using specific APIs of the MS-SAMR protocol and specifically DO NOT modify how passwords are stored at rest. For more information about how passwords are encrypted at rest in Active Directory and locally in the SAM Database (registry), see Passwords Overview.

More information 

The existing SamrConnect5 method is typically used to establish a connection between the SAM client and server.

An updated server will now return a new bit in the SamrConnect5() response as defined in SAMPR_REVISION_INFO_V1

Value

Meaning

0x00000010

On receipt by the client, this value, when set, indicates that the client should use AES Encryption with the SAMPR_ENCRYPTED_PASSWORD_AES structure to encrypt password buffers when sent over the wire. See AES Cipher Usage (section 3.2.2.4) and SAMPR_ENCRYPTED_PASSWORD_AES (section 2.2.6.32).

If the updated server supports AES, the client will use new methods and new information classes for password operations. If the server does not return this flag or if the client is not updated, the client will fall back to using previous methods with RC4 encryption.

Password Set operations require a writeable domain controller (RWDC). Password changes are forwarded by the Read Only Domain Controller (RODC) to a RWDC. All devices must be updated for AES to be used. For example:

  • If the client, RODC or RWDC is not updated, RC4 encryption will be used.

  • If the client, RODC and RWDC are updated, AES encryption will be used.

The July 13, 2021 updates add four new events to the system log to help identify devices that are not updated and helps improve security.

  • Configuration state Event ID 16982 or 16983 is logged on startup or upon a registry configuration change.Event ID 16982

    Event log

    System

    Event source

    Directory-Services-SAM

    Event ID

    16982

    Level

    Information

    Event message text

    The security account manager is now logging verbose events for remote clients that call legacy password change or set RPC methods. This setting may cause a large number of messages and should only be used for a short period time to diagnose problems.

    Event ID 16983

    Event log

    System

    Event source

    Directory-Services-SAM

    Event ID

    16983

    Level

    Information

    Event message text

    The security account manager is now logging periodic summary events for remote clients that call legacy password change or set RPC methods.

  • After applying the July 13, 2021 update, a Summary Event 16984 is logged to the System event log every 60 minutes.Event ID 16984

    Event log

    System

    Event source

    Directory-Services-SAM

    Event ID

    16984

    Level

    Information

    Event message text

    The security account manager detected %x legacy password change or set RPC method calls in the past 60 minutes.

  • After configuring verbose event logging, Event ID 16985 is logged to the System event log every time a legacy RPC method is used to change or set an account password.Event ID 16985

    Event log

    System

    Event source

    Directory-Services-SAM

    Event ID

    16985

    Level

    Information

    Event message text

    The security account manager detected the use of a legacy change or set RPC method from a network client. Consider upgrading the client operating system or application to use the latest and more secure version of this method.

    Details:

    RPC Method: %1

    Client Network Address: %2

    Client SID: %3

    Username: %4 

    To log verbose Event ID 16985, toggle the following registry value on the server or domain controller.

    Path

    HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\SAM

    Type

    REG_DWORD

    Value name

    AuditLegacyPasswordRpcMethods

    Value data

     1 = verbose logging is enabled

     0 or not present = verbose logging is disabled. Summary events only. (Default)

As described in SamrUnicodeChangePasswordUser4 (Opnum 73), when you use the new SamrUnicodeChangePasswordUser4 method, the client and server will use the PBKDF2 Algorithm to derive an encryption and decryption key from the plaintext old password. This is because the old password is the only common secret that is known to both the server and the client.  

For more information about PBKDF2, see BCryptDeriveKeyPBKDF2 function (bcrypt.h).

If you must make a change for performance and security reasons, you can adjust the number of PBKDF2 iterations used by the client for password change by setting the following registry value on the client.

Decreasing the number of PBKDF2 iterations will decrease security.  We do not recommend that the number is decreased from the default. However, we do recommend that you use the highest possible number of PBKDF2 iterations.

Path 

HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\SAM  

Type 

REG_DWORD 

Value name 

PBKDF2Iterations 

Value data 

Minimum of 5,000 to a maximum of 1,000,000

Value default 

10,000  

PBKDF2 is not used for password set operations. For password set operations the SMB session key is the shared secret between client and server and used as the basis for deriving encryption keys. 

For more information, see Acquiring an SMB Session Key.

Frequently Asked Questions (FAQ)

Downgrade happens when the server or the client does not support AES.   

Updated servers will log events when legacy methods with RC4 are used. 

There is currently no enforcement mode available but there may be in the future. We do not have a date. 

If a third-party device is not using the SAMR protocol, then this is not important. Third-party vendors who implement the MS-SAMR protocol may choose to implement this. Contact the third-party vendor for any questions. 

No additional changes are required.  

This protocol is legacy, and we anticipate its use is very low. Legacy applications may use these APIs. Also, some Active Directory tools such as AD Users and Computers MMC uses SAMR.

No. Only password changes that use these specific SAMR APIs are affected.

Yes. PBKDF2 is more expensive than RC4. If there are many password changes occurring at the same time on the domain controller calling the SamrUnicodeChangePasswordUser4 API, the CPU load of LSASS might be affected. You can tune the PBKDF2 iterations on clients if it is necessary, however we do not recommend decreasing from the default as this would lower security.  

References

Authenticated Encryption with AES-CBC and HMAC-SHA

AES Cipher Usage

Third-party information disclaimer

We provide third-party contact information to help you find technical support. This contact information may change without notice. We do not guarantee the accuracy of this third-party contact information.

Need more help?

Want more options?

Explore subscription benefits, browse training courses, learn how to secure your device, and more.

Communities help you ask and answer questions, give feedback, and hear from experts with rich knowledge.