Updates
Updates which switches a flag to protect against the CredSSP attack.Operating system, RollUp, Update
Windows 7 Service Pack 1 / Windows Server 2008 R2 Service Pack 1, KB4103718 (Monthly Rollup) KB4103712 (Security-only update)
Windows Server 2012, KB4103730 (Monthly Rollup), KB4103726 (Security-only update)
Windows 8.1 / Windows Sever 2012 R2, KB4103725 (Monthly Rollup), KB4103715 (Security-only update)
Windows 10 Version 1607 / Windows Server 2016, KB4103723
Windows 10 Version 1703, KB4103731
Windows 10 1709, KB4103727
Solution:
To resolve this issue, the May updates including this patch have to be installed on all Servers and Clients!Workaround:
If you can´t do this you can apply the following workaround.Note: After you change the following setting, an unsecure connection is allowed that will expose the remote server to attacks.
Updated clients cannot communicate with non-updated servers
If you installed the May Updates on your DC you can apply a GPO to set these settings.
GPO Path
Computer Configuration > Policies > Administrative Templates > System > Credentials Delegation > Encryption Oracle Remediation
Setting
Change the Encryption Oracle Remediation policy to Enabled, and then change Protection Level to Vulnerable.
or apply the following Regkey
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\CredSSP\Parameters] "AllowEncryptionOracle"=dword:00000002
Non-updated clients cannot communicate with patched servers
GPO Path
Computer Configuration > Policies > Administrative Templates > System > Credentials Delegation > Encryption Oracle Remediation
Setting
Change the Encryption Oracle Remediation policy to Enabled, and then change Protection Level to Vulnerable.
or apply the following Regkey
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\CredSSP\Parameters] "AllowEncryptionOracle"=dword:00000002
No comments:
Post a Comment