Windows computers and servers update on a monthly basis. Most of these updates are self-installing and need no other interaction. Sometimes, though, you need to add registry keys to enable or disable additional security settings. I discussed the additional registry keys needed for Spectre and Meltdown protection earlier, but other updates often need additional settings.
One way to learn about these needed registry settings is to read the security bulletin. Your vulnerability scanner might indicate missing protections after it scans your network, too. At times the new registry keys are not part of a security bulletin but part of a security advisory. An advisory is sent when there is no patch released. Advisories often give information about additional protections you need or an upcoming change in updates that will impact your systems.
Blocking unsafe ticket-granting tickets in Windows
In the February updates, for example, advisory ADV190006 pointed out an upcoming change that will impact Active Directory implementations. The advisory notes a change outlined in Knowledge Base article KB4490425 in how Microsoft handles ticket-granting tickets (TGTs). Currently the default configuration when you trust identities from another Active Directory forest lets an attacker in the trusting forest request delegation of a TGT for an identity from the trusted forest.
This unsafe condition impacts Server 2019, Server 2016, Server 2012 R2 and Server 2012. In July 2019, Microsoft will release an update to harden Server 2008 R2 and Server 2008. In the meantime, the advisory gives guidance on how to block unsafe TGT delegation across an incoming trust by setting the netdom flag EnableTGTDelegation to “no” using the following command.
netdom.exe trust fabrikam.com /domain:contoso.com /EnableTGTDelegation:No
Clear plain-text passwords from WDigest memory
Often there are much older Knowledge Base articles that still can impact your network, such as a 2014 security advisory that relates to KB2871997. You might have installed the patch on your workstations and servers but didn’t run the registry key to delete the clear-text password in WDigest memory. Often the password tool Mimikatz can find this leftover password in Server 2008 R2 servers. Add the following registry key to clear out the password.
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\SecurityProviders\
WDigest
When the UseLogonCredential value is set to 0, WDigest will not store credentials in memory. This value is not by default set up on a Server 2008 R2 system. You will need to add it. Scroll down to HKEY local machine to the value noted, right-click on “New“ and “Add a Dword 32-bit value”, and add the UseLogonCredential.
Susan Bradley
Adding a registry key
Have all users log out of the server, and then reboot for the password to be cleared from the system.
Other security bulletins that require new Windows registry keys
These security bulletins also need registry keys to be effective.
- MS15-011 impacts Group Policy and requires this registry key set:
HKEY_LOCAL_Machine\Software\Policies\Microsoft\Windows\
NetworkProvider\HardenedPaths
Add the value Netlogon with data ofRequireMutualAuthentication=1 RequireIntegrity=1 - MS15-124 is an Internet Explorer patch that requires these registry keys:
HKEY_LOCAL_Machine\Software\Microsoft\InternetExplorer\Main\.
FeatureControl\FEATURE_ALLOW_USER32_EXCEPTION_HANDLER_HARDENING
Add a value of 1 and then set:HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\InternetExplorer.
\Main\FeatureControl\FEATURE_ALLOW_USER32_EXCEPTION_HANDLER_HARDENING
Use a value of 1. Alternatively you can use the easy fix in the KB article that will set the registry key for you. - KB3140245 covers an update for TLS 1.1 and TLS 1.2. You need to make a change to:
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\WinHttp DefaultSecureProtocols
andHKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\.
Internet Settings\WinHttp DefaultSecureProtocols
Alternatively, you can use the easy fix in the KB article that will set the needed registry key for you.
Get the idea that you need to check for additional steps needed to protect your Windows network besides patching? If your vulnerability scanner is telling you that you aren’t patched and yet you know you’ve installed the update, look for missing registry keys that might be buried in the details of the KB article.