Windows security updates that require new registry keys

Don't assume automated Windows security updates are complete. You might need to add registry keys manually. Here are a few to check now.

Windows computers and servers update on a monthly basis. Most of these updates are self-installing and need no other interaction. Sometimes, though, you need to add registry keys to enable or disable additional security settings. I discussed the additional registry keys needed for Spectre and Meltdown protection earlier, but other updates often need additional settings.

One way to learn about these needed registry settings is to read the security bulletin. Your vulnerability scanner might indicate missing protections after it scans your network, too. At times the new registry keys are not part of a security bulletin but part of a security advisory. An advisory is sent when there is no patch released. Advisories often give information about additional protections you need or an upcoming change in updates that will impact your systems.

Blocking unsafe ticket-granting tickets in Windows

In the February updates, for example, advisory ADV190006 pointed out an upcoming change that will impact Active Directory implementations. The advisory notes a change outlined in Knowledge Base article KB4490425 in how Microsoft handles ticket-granting tickets (TGTs). Currently the default configuration when you trust identities from another Active Directory forest lets an attacker in the trusting forest request delegation of a TGT for an identity from the trusted forest.

This unsafe condition impacts Server 2019, Server 2016, Server 2012 R2 and Server 2012. In July 2019, Microsoft will release an update to harden Server 2008 R2 and Server 2008. In the meantime, the advisory gives guidance on how to block unsafe TGT delegation across an incoming trust by setting the netdom flag EnableTGTDelegation to “no” using the following command.

netdom.exe trust fabrikam.com /domain:contoso.com /EnableTGTDelegation:No

Clear plain-text passwords from WDigest memory

Often there are much older Knowledge Base articles that still can impact your network, such as a 2014 security advisory that relates to KB2871997. You might have installed the patch on your workstations and servers but didn’t run the registry key to delete the clear-text password in WDigest memory. Often the password tool Mimikatz can find this leftover password in Server 2008 R2 servers. Add the following registry key to clear out the password.

HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\SecurityProviders\
WDigest

When the UseLogonCredential value is set to 0, WDigest will not store credentials in memory. This value is not by default set up on a Server 2008 R2 system. You will need to add it. Scroll down to HKEY local machine to the value noted, right-click on “New“ and “Add a Dword 32-bit value”, and add the UseLogonCredential.

bradley regkey Susan Bradley

Adding a registry key

Have all users log out of the server, and then reboot for the password to be cleared from the system.

Other security bulletins that require new Windows registry keys

These security bulletins also need registry keys to be effective.

  • MS15-011 impacts Group Policy and requires this registry key set:
    HKEY_LOCAL_Machine\Software\Policies\Microsoft\Windows\
    NetworkProvider\HardenedPaths
    .
    Add the value Netlogon with data of
    RequireMutualAuthentication=1 RequireIntegrity=1
  • MS15-124 is an Internet Explorer patch that requires these registry keys:
    HKEY_LOCAL_Machine\Software\Microsoft\InternetExplorer\Main\
    FeatureControl\FEATURE_ALLOW_USER32_EXCEPTION_HANDLER_HARDENING
    .
    Add a value of 1 and then set:
    HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\InternetExplorer
    \Main\FeatureControl\FEATURE_ALLOW_USER32_EXCEPTION_HANDLER_HARDENING
    .
    Use a value of 1. Alternatively you can use the easy fix in the KB article that will set the registry key for you.
  • KB3140245 covers an update for TLS 1.1 and TLS 1.2. You need to make a change to:
    HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\WinHttp DefaultSecureProtocols
    and
    HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\
    Internet Settings\WinHttp DefaultSecureProtocols
    .
    Alternatively, you can use the easy fix in the KB article that will set the needed registry key for you.

Get the idea that you need to check for additional steps needed to protect your Windows network besides patching? If your vulnerability scanner is telling you that you aren’t patched and yet you know you’ve installed the update, look for missing registry keys that might be buried in the details of the KB article.

Get the best of CSO ... delivered. Sign up for our FREE email newsletters!