Blog: Microsoft

Proof-of-concept (PoC) exploitation code is now in circulation for a critical privilege elevation vulnerability (CVE-2020-1472) in the Microsoft Netlogon Remote Protocol (MS-NRPC). This vulnerability, also known as "Zerologon," occurs when establishing a secure channel connection to a Windows domain controller. 
 
Exploitation could allow an unauthenticated remote attacker on the local network to gain domain administrator privileges on vulnerable systems. The first phase to mitigate this vulnerability is to install the August 11th, 2020 update patch to all domain controllers. The second phase is scheduled to be released in early 2021.
 
The mitigation update for this vulnerability was installed before the end of August for all Aspire cloud hosting systems and CoNetrix Technology customers with a patch management service agreement. All other CoNetrix Technology and CoNetrix Security customers should install this update as soon as possible.
 
For CoNetrix Technology Cybersecurity Monitoring customers, we are working with our SIEM provider to identify and send alerts when this exploit is attempted on domain controllers. However, the August 11th update is required to be installed before the security log entries will be created. We will post an update when these new alerts are operational.
 
 
Please contact CoNetrix Customer Service at support@conetrix.com or 806-698-9600 if you have any questions or need assistance with installing the August 11th update.
 

 

The May 2019 Microsoft patch releases included an update for a very high-risk vulnerability (CVE-2019-0708, aka BlueKeep) that affects Windows XP, Windows 7, Server 2003, Server 2008, and Server 2008 R2.

This vulnerability allows an unauthenticated attacker (or malware) to remotely execute code on the vulnerable system. It is considered as VERY high risk, particularly for systems with Remote Desktop Protocol (RDP, port 3389) directly exposed to the Internet. However if a system inside the network is compromised it could easily spread to other PC's and servers because RDP is enabled by default.

CoNetrix strongly recommends all customers ensure the May updates are installed as soon as possible.

Microsoft has not only released updates for Windows 7, Server 2008 & R2, but also has issued updates for Windows XP and Server 2003 which are not officially supported.

All CoNetrix Technology customers with managed services agreements and all cloud hosted Aspire systems, were updated shortly after this vulnerability was announced.

This vulnerability can be mitigated by enabling Network Level Authentication (NLA) - https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc732713(v=ws.11). Additionally CoNetrix recommends disabling RDP access over the Internet to internal systems.


 

With our move to Nessus for our audit scanning, we are digging deeper into unsupported software. In these checks, there has been a software that has shown up across a majority of different customers which is unsupported Microsoft XML Parser and XML Core Services.
 
Microsoft XML Parser and XML Core Services are used to create and validate data in XML documents and have the ability to parse and process the data. More info can be found here: https://searchmicroservices.techtarget.com/definition/XML-Core-Services
 
One customer that I was working with had questions about the software because it was showing up as unsupported for a server that they just installed on the network. After doing some investigation, we found that the server did in fact have the unsupported Microsoft XML Parser and XML Core Services installed along with the current version of the software. After doing some additional research, it appears that when there is a new version of the software released, the update installs the new software, but does not remove the old unsupported software.
 
If the current version of the software is installed, then the unsupported versions can be removed manually.
 

 

The Microsoft Assessment Planning (MAP) Toolkit is a useful utility that can be used to gather hardware and software information for workstations and servers. After installing the toolkit, you can provide domain credentials which it uses to poll each device in Active Directory and gather information about the devices it finds. This data can be viewed through various Excel reports and can help to shorten the time it takes to fill out an audit questionnaire.
 
The toolkit can be downloaded from: https://www.microsoft.com/en-us/download/details.aspx?&id=7826
 


 

We recently encountered a strange issue with a customer running Outlook 2010 in an Exchange 2007 environment. Some users (not all) would randomly get certificate warning pop-ups in Outlook. The certificate warnings indicated the Fully Qualified Domain Name (FQDN) "autodiscover.customerdomain.com" wasn’t on the certificate. The certificate warning was legitimate; that FQDN was not on the certificate because this customer didn't have a UCC certificate.

However, all the autodiscover SCP records had been changed via Powershell to point the autodiscover URL to "webmail.customerdomain.com" which WAS on the certificate. All the PCs were joined to the Active Directory domain so the SCP lookup should have had precedence over any other autodiscover method. Doing an autodiscover check via the Outlook system tray icon indicated the certificate warning pop-up and all the values returned by the test were all correct.

The question was why were these PC's even contacting "autodiscover.customerdomain.com"? After much troubleshooting, we found that even though the domain SCP records were correct, some Outlook clients were also doing DNS lookups for "autodiscover.customerdomain.com" in parallel with the SCP lookup. Checking DNS there was an "autodiscover.customerdomain.com" A record and pointed to the IP address of the Exchange server; however, since that FQDN wasn’t a subject alternate name on the certificate, it would have legitimately generated the certificate warning.

The resolution was to simply remove the "autodiscover.customerdomain.com" A record from DNS and we added SRV records for good measure. It doesn’t seem like having that A record in DNS would have mattered since the autodiscover priority shouldn’t have ever used it, but from now on we will use DNS SRV records and SCP exclusively for Exchange autodiscover.


 

The Federal Financial Institutions Examination Council (FFIEC) jointly issued a statement to alert financial institutions Microsoft will discontinue extended support for Windows XP effective April 8, 2014.  After this date, Microsoft will no longer provide secruity patches or support for the Windows XP Operating System.  To read the Joint Statement, visit http://ithandbook.ffiec.gov/media/154161/final_ffiec_statement_on_windows_xp.pdf 

 

Starting in Windows 7 and Windows Server 2008 R2, Microsoft introduced sub-category configuration audit policies.  This provides administrators with added granularity when deciding which event logs are necessary to be logged.  More on  Advanced Audit Policies can be found here: http://technet.microsoft.com/en-us/library/dd772712(WS.10).aspx [more]

The following command will pull the configuration for all of the new advanced security audit policies:

audipol /get /category:*

 
 

Several of our customers have been confused recently regarding the number of Microsoft licenses they own.  The issue is confused by Microsoft’s process itself.  When a customer purchases licensing they are issued an Open Business Authorization certificate which states the number of licenses purchased.

The client is also issued a set of keys to install the purchased licenses.  The license number and the number of times the customer can use the key are very confusing.  In fact the key can be used roughly 5 times per 1 license.  As an example, if a customer purchases 10 Windows Server licenses, the associated key may state a quantity of 50.  This actually means you can activate the key 50 times on the same 10 licenses.

If you seem to have extra licenses that magically appeared, make sure you are looking at your certificate and not the number associated with the keys.


 

You assume, that both Microsoft and Lenovo will create a restore point before applying updates to your computer. I did… and it cost me dearly!  I had to rebuild my machine from scratch!  Restore points require disk storage, and there is a screen (see below) where the amount of the disk to be used for restore points is specified.  In my case the amount was set to “0” (zero), and then when the Lenovo updater tries to create a restore point, it failed. There was no warning that it failed! [more]