Latest Windows Server Updates Cause LSASS Memory Leaks and Reboots on Domain Controllers

Key Takeaways:

• Microsoft has acknowledged a new LSASS memory leak bug affecting Windows Server machines that could cause Domain Controllers (DCs) to crash.
• The problem affects Windows Server versions 2012 R2, 2016, 2019, and 2022.
• Microsoft engineers are working on a fix that will arrive as an update in an upcoming release.

Microsoft has confirmed a new issue involving the LSASS Memory Leak that is currently plaguing Windows Server machines. The company detailed on the Windows Health Dashboard that the latest Patch Tuesday Update may cause Domain Controllers (DCs) to stop working or automatically restart.

Specifically, Microsoft has warned that customers installing the latest Windows Server updates could experience a memory leak vulnerability with the Local Security Authority Subsystem Service (LSASS). The bug could cause LSASS to crash or trigger unexpected reboots of the Domain Controllers. The LSASS memory leak issue affects Windows Server 2012 R2, Windows Server 2016, Windows Server 2019, and Windows Server 2022.

“Following installation of the March 2024 security update, released March 12, 2024 (KB5035857), Local Security Authority Subsystem Service (LSASS) may experience a memory leak on domain controllers (DCs). This is observed when on-premises and cloud-based Active Directory Domain Controllers service Kerberos authentication requests,” Microsoft explained.

What is Local Security Authority Subsystem Service (LSASS)?

The Local Security Authority Subsystem Service (LSASS) is a Windows process that is responsible for enforcing the security policy on the operating system. It manages authentication, authorization, credential management, security policy enforcement, security token generation, and other security-related functions. LSASS helps to prevent unauthorized access and ensures the confidentiality of sensitive data stored on Windows Server machines, avoiding potential LSASS memory leaks.

Microsoft says that its engineers are currently working on a fix that is expected to arrive in an upcoming update. In the meantime, the company advises administrators to uninstall the patches from affected Domain Controllers. It’s also recommended to monitor the memory usage of the Windows Server machines and reboot them periodically when needed.

FAQs

What are the early warning signs of an LSASS Memory Leak before system failure?

Early indicators of an LSASS Memory Leak include sluggish system performance, increased response times for login requests, growing memory usage in Task Manager, and authentication delays. System administrators should monitor these signs to prevent unexpected crashes.

How can organizations prevent LSASS Memory Leak vulnerabilities in their infrastructure?

To prevent LSASS Memory Leak issues, organizations should implement regular memory monitoring, establish automated alerts for unusual memory consumption, maintain updated system backups, and develop an incident response plan specifically for memory-related issues.

What tools can detect and diagnose an LSASS Memory Leak in Windows Server environments?

Several diagnostic tools can identify LSASS Memory Leak problems, including Windows Performance Monitor, Process Explorer, Windows Memory Diagnostic Tool, and various third-party memory analysis utilities designed for server environments.

How does an LSASS Memory Leak impact Active Directory performance and security?

An LSASS Memory Leak can severely degrade Active Directory services, potentially compromising authentication processes, slowing down group policy applications, and affecting overall domain security posture while increasing resource consumption.

What are the best practices for recovering from an LSASS Memory Leak incident?

Recovery best practices include implementing proper backup systems, maintaining detailed incident logs, establishing clear recovery procedures, and conducting post-incident analysis to prevent future LSASS Memory Leak occurrences.