Upcoming Webinar
Cayosoft Shows How Forest Recovery Tech Addresses Survey Issues
Join this webinar and not only learn about what your peers are doing, but also learn about a new patent-pending modern approach to AD forest recovery from Cayosoft.
New episode!
The Scoop on Loop: The Latest Innovations Directly From Microsoft!
Darrell Webster speaks to Rebecca Keys, a Program Manager from the Microsoft Loop team.
Turn Data Protection into an MRR Growth Engine
Security for your customers, revenue for your MSP practice. Access key insights on how to scale your practice with SkyKick’s new eGuide.
MSP eGuide to Package, Sell and Deliver M365 Security Services
Based on input from our top-performing MSPs, SkyKick prepared the MSP Guide to help you navigate the security landscape.

CISA Advises Federal Agencies to Patch Windows LSA Flaw Affecting Domain Controllers

Back in May, the Cybersecurity & Infrastructure Security Agency (CISA) temporarily removed a Windows flaw from its Known Exploited Vulnerability (KEV) Catalog due to Active Directory (AD) certificate authentication issues. CISA has now re-added the security vulnerability to KEV, and it’s encouraging IT admins to patch it by deploying the June Patch Tuesday updates by 22 July.

As a reminder, Microsoft released the May 2022 updates to patch a Windows Local Security Authority (LSA) spoofing flaw (CVE-2022-26925). The high severity vulnerability allows attackers to force the domain controller (DC) to authenticate them via Windows NT LAN Manager (NTLM). NTLM is a legacy security protocol that is used for authentication between clients and server machines.

As it turns out, these security patches also caused authentication problems on Windows Server domain controllers. “These changes break certificate authentication for many federal agencies, due to the way Personal Identity Verification (PIV)/Common Access Card (CAC) certificates are created and used. Active Directory now looks for the account’s security identifier (SID) in the certificate or for a strong mapping between the certificate and account,” CISA explained.

Now, CISA has provided a new step-by-step guide with mitigation steps to help organizations prevent authentication issues on domain controllers. The guidance recommends IT admins to configure two registry keys that let them control if the domain controller is in “Compatibility Mode” or “Full Enforcement Mode.”

Microsoft to move Windows Server devices to Full Enforcement mode in 2023

Microsoft explained in its support document that the May 2022 update switches Windows Server devices to Compatibility Mode to mitigate NTLM relay attacks. The company plans to remove Compatibility Mode and automatically update all devices to Full Enforcement Mode in May 2023. However, CISA warned that this change could potentially break the authentication mechanism if IT admins have not “created a strong mapping or added SIDs to certificates.”

Currently, CISA doesn’t recommend federal agencies to migrate to strong certificate-user mapping to avoid potential conflicts in certain use cases. The security agency is collaborating with Microsoft to address this issue, and we hope that a fix will be available in the coming months.

by Rabia Noureen
Jul 5, 2022

Rabia comes from a solid IT background and has been writing professionally about Microsoft products and other technology for four years. Rabia has also written for OnMSFT.com as well as Windows Report. She is always up to date on the latest trends in...

Petri.com’s New Active Directory Outage and Disaster Recovery Survey

Feb 15, 2024
Apr 16, 2024
Essential Guide to Mastering Get-ADGroupMember (AD User Management)

Oct 12, 2023
Get-ADComputer: The PowerShell Command for Managing Active Directory Computers

Nov 15, 2023

Take our survey

PETRI NEWSLETTERS

Join Petri Insider

Create a free account today to participate in forum conversations, comment on posts and more.