If you are as old as I am, you remember when you first had to deal with domains and Active Directory (AD). Even if you aren\u2019t as old as I am, you still probably must deal with domains and Active Directory. If you are just starting out at a new firm, you probably know only Azure Active Directory as your building block. The reality for the rest of us is that we must patch and maintain AD.\u00a0Active Directory has been in the security news again for yet another vulnerability that may need more actions than merely patching to properly protect your network from future attacks. The May 10, 2022, security updates include several patches relating to certificates.\u00a0CVE-2022-26925 Windows LSA Spoofing vulnerabilityCVE-2022-26931 Windows Kerberos Elevation of Privilege VulnerabilityCVE-2022-26923 Active Directory Domain Services Elevation of Privilege VulnerabilityCVE-2022-26923 is particularly worrisome as it allows attackers to go from user to domain admin in mere minutes. To see the actual attack sequence in action, use this site to analyze the impact of the CVE-2022-26923 patch on your network.Based on the severity of the misconfiguration, CVE-2022-26923 could allow any low-privileged user on the AD domain to escalate their privilege to that of an enterprise domain admin with just a few clicks. As Will Dorman of CERT noted, it works quite well on a default AD configuration by going from normal user to domain admin in a few steps. Oliver Lyak and Eran Nachshon provide more details in two separate blog posts. This patch does not block all potential methods of attack, only the attack sequence using ESC6.Additional steps needed after the May cumulative updatePrior to updating with the May cumulative update, check that the AltSecurityIdenties value in the krbtgt account has nothing set in it. To view this, go into \u201cActive Directory Users and Computers\u201d, click on \u201cView advanced features\u201d, select \u201cUsers\u201d, and find the disabled krbtgt account. It\u2019s normal that the acocunt is disabled. Next select \u201cProperties\u201d, click on \u201cAttribute editor\u201d, and ensure that no value is set in the AltSecurityIdenties section. This is not something done normally but probably would have been set incorrectly. If there is a value there, your domain controller will reboot with a crash.Next, change the value of the MSDS-MachineAccountQuota attribute to \u201c0\u201d. For many years in AD, Microsoft wanted to make it easy to add a computer to the domain and allowed mere users to do so. The ability to do this and trigger the requesting of certificates as a result is one of the methods that attackers use to abuse the certificate flaw. In \u201cActive Directory Users and Computers\u201d, open the properties of the domain and select the \u201cAttribute editor\u201d. Then double-click on ms-DS-MachineAccountQuota. Modify the value. The number represents the number of computers that you want users to be able to add to the domain. It\u2019s now highly recommended to change this value to \u201c0\u201d.If these recommendations vaguely sound familiar, it\u2019s because they were also recommended back in November when we were patching another set of Active Directory flaws leveraging the same sort of vulnerabilities. It appears that Microsoft reintroduced the same sort of flaw that is being patched by CVE-2022-26925 that orginally patched in CVE-2021-42278 and CVE-2021-42287 in November.Finally, review the recommendations in KB5005413, enable EPA, and disable HTTP on Active Directory Certificate Services (AD CS) servers for certificate authority web enrollment.Beware of authentication issues after May updatesWhen you go to apply the May updates be aware that some firms\u2019 configurations might see authentication issues after the update as CISA explained:\u201cAfter installing May 10, 2022, rollup update on domain controllers, organizations might experience authentication failures on the server or client for services, such as Network Policy Server (NPS), Routing and Remote access Service (RRAS), Radius, Extensible Authentication Protocol (EAP), and Protected Extensible Authentication Protocol (PEAP). Microsoft notified CISA of this issue, which is related to how the mapping of certificates to machine accounts is being handled by the domain controller.\u201dThe May cumulative updates also included two additional fixes for certificate-based authentication that require additional actions. As Microsoft notes: \u201cCVE-2022-26931 and CVE-2022-26923 address an elevation of privilege vulnerability that can occur when the Kerberos Distribution Center (KDC) is servicing a certificate-based authentication request. Before the May 10, 2022, security update, certificate-based authentication would not account for a dollar sign ($) at the end of a machine name. This allowed related certificates to be emulated (spoofed) in various ways. Additionally, conflicts between User Principal Names (UPN) and sAMAccountName introduced other emulation (spoofing) vulnerabilities that we also address with this security update.\u201dThe May update will introduce audit events that will help you identify which identity certificates will fail after May 9, 2023. Devices are in \u201ccompatability mode\u201d at this time, but if the certificates are not strongly mapped by May of 2023, authentication will be denied.Microsoft released an\u00a0out of band update to fix the authentication issues introduced by the May releases.Additional steps for November Active Directory patchesIn November 2021 Microsoft issued a patch for a similar AD issue. Patches for CVE-2021-42278 and CVE-2021-42287 fixed issues for which \u201cthe common theme for these security updates seems to involve validating the uniqueness of certain attributes of AD objects and verifying that no wires cross when issuing Kerberos tickets, leading to the issuance of tickets for the wrong principal or to the wrong service.\u201dMicrosoft recommends taking three actions to better protect yourself from such attacks that exploit CVE-2021-42278 and CVE-2021-42287 as well as the current CVE-2022-26925:Install the updates, specifically the patches from November \u2013 and when you can after testing \u2013 for the May vulnerabilities noted in CVE-42287, CVE-422278 (included in the November updates if you have not installed them already) and for CVE-2022-26925 (included in the May updates).Change the value of the MSDS-MachineAccountQuota attribute to \u201c0\u201d.Apply the principle of least privilege to the user rights assignment labeled \u201cAdd workstations to the domain\u201d (SeMachineAccountPrivilege).Detecting CVE-2022-26923 with Microsoft Defender for IdentityThe May CVE-2022-26923 Active Directory Domain Services Elevation of Privilege Vulnerability can be detected if you have Microsoft Defender for Identity. Microsoft has added a setting to Microsoft Defender for Identity to send an alert when an attack is underway. The alert is titled \u201cSuspicious modification of a DnsHostName attribute (CVE-2022-26923 exploitation).\u201d If you don\u2019t have Microsoft Defender for Identity licensing, Microsoft recommends you can better protect yourself from this sort of attack by following these steps:Apply the recent patches to all domain controller servers in your organization. You will need to test and review if you are impacted by the side effects.Set the ms-DS-MachineAccountQuota attribute to \u201c0\u201d if possible, making the attack more complex to exploit for an attacker.Adjust certificate template permissions and approval according to your organization's needs.Bottom line: Don\u2019t just apply the patches and think you are done. Take additional actions on your network to better protect your network.