![]() Many other software vendors follow the pattern of monthly updates set by the people in Redmond. Microsoft Windows 10 vs.The June 2022 Patch Tuesday may go down in history as the day that Follinagot patched, but there was a host of other important updates.The 10 Windows group policy settings you need to get right.What’s new in Windows 10 security: The privacy edition.Get the idea that you need to check for additional steps needed to protect your Windows network besides patching? If your vulnerability scanner is telling you that you aren’t patched and yet you know you’ve installed the update, look for missing registry keys that might be buried in the details of the KB article. Alternatively, you can use the easy fix in the KB article that will set the needed registry key for you. You need to make a change to: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\WinHttp DefaultSecureProtocols and HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ Internet Settings\WinHttp DefaultSecureProtocols. KB3140245 covers an update for TLS 1.1 and TLS 1.2.Alternatively you can use the easy fix in the KB article that will set the registry key for you. Add a value of 1 and then set: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\InternetExplorer \Main\FeatureControl\FEATURE_ALLOW_USER32_EXCEPTION_HANDLER_HARDENING. MS15-124 is an Internet Explorer patch that requires these registry keys: HKEY_LOCAL_Machine\Software\Microsoft\InternetExplorer\Main\ FeatureControl\FEATURE_ALLOW_USER32_EXCEPTION_HANDLER_HARDENING.Add the value Netlogon with data of RequireMutualAuthentication=1 RequireIntegrity=1 MS15-011 impacts Group Policy and requires this registry key set: HKEY_LOCAL_Machine\Software\Policies\Microsoft\Windows\ NetworkProvider\HardenedPaths.These security bulletins also need registry keys to be effective. Other security bulletins that require new Windows registry keys Have all users log out of the server, and then reboot for the password to be cleared from the system. Scroll down to HKEY local machine to the value noted, right-click on “New“ and “Add a Dword 32-bit value”, and add the UseLogonCredential. This value is not by default set up on a Server 2008 R2 system. When the UseLogonCredential value is set to 0, WDigest will not store credentials in memory. HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\SecurityProviders\ WDigest Add the following registry key to clear out the password. Often the password tool Mimikatz can find this leftover password in Server 2008 R2 servers. You might have installed the patch on your workstations and servers but didn’t run the registry key to delete the clear-text password in WDigest memory. ![]() Often there are much older Knowledge Base articles that still can impact your network, such as a 2014 security advisory that relates to KB2871997. Netdom.exe trust /domain: /EnableTGTDelegation:No Clear plain-text passwords from WDigest memory In the meantime, the advisory gives guidance on how to block unsafe TGT delegation across an incoming trust by setting the netdom flag EnableTGTDelegation to “no” using the following command. In July 2019, Microsoft will release an update to harden Server 2008 R2 and Server 2008. This unsafe condition impacts Server 2019, Server 2016, Server 2012 R2 and Server 2012. Currently the default configuration when you trust identities from another Active Directory forest lets an attacker in the trusting forest request delegation of a TGT for an identity from the trusted forest. The advisory notes a change outlined in Knowledge Base article KB4490425 in how Microsoft handles ticket-granting tickets (TGTs). In the February updates, for example, advisory ADV190006 pointed out an upcoming change that will impact Active Directory implementations. Blocking unsafe ticket-granting tickets in Windows Advisories often give information about additional protections you need or an upcoming change in updates that will impact your systems. ![]() An advisory is sent when there is no patch released. At times the new registry keys are not part of a security bulletin but part of a security advisory. Your vulnerability scanner might indicate missing protections after it scans your network, too. One way to learn about these needed registry settings is to read the security bulletin. I discussed the additional registry keys needed for Spectre and Meltdown protection earlier, but other updates often need additional settings. Sometimes, though, you need to add registry keys to enable or disable additional security settings. Most of these updates are self-installing and need no other interaction. Windows computers and servers update on a monthly basis.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |