Even though Microsoft's Identity focus moves towards the cloud, they are not forgetting their on-premises roots. Windows Server 2016 and Windows Server 2019 still receive updates. These are the updates and fixes we saw for May 2020:
Windows Server 2016
We observed the following updates for Windows Server 2016:
KB4556813 May 12, 2020
The May 12, 2020 update for Windows Server 2016 (KB4556813) updating the OS build number to 14393.3686 includes both security and quality improvements, but none of these updates are Identity-related.
When running virtualized Domain Controllers on top of Hyper-V, then you might be concerned with CVE-2020-0909. However, as per Microsoft recommended practices, Hyper-V hosts should not be placed on network segments that are accessible to non-administrator endpoints.
The three Print Spooler vulnerabilities are also causes for alarm, but I hope that by now everyone has hardened their Domain Controllers by not allowing printer redirection through remote desktop and stopping the spooler service…
ADV200009 May 19, 2020
Microsoft is aware of a vulnerability involving packet amplification that affects Windows DNS servers. An attacker who successfully exploited this vulnerability could cause the DNS Server service to become nonresponsive.
Admins of edge-facing authoritative DNS Servers should enable Response Rate Limit (RRL), using the Set-DnsServerResponseRateLimiting PowerShell Cmdlet.
There is currently no update available to address the vulnerability.
Windows Server 2019
We observed the following updates for Windows Server 2019:
KB4551853 May 12, 2020
The May 12, 2020 update for Windows Server 2019 (KB4551853) updating the OS build number to 17762.1217 includes both security and quality improvements.
This update addresses a cross-site scripting vulnerability in Active Directory Federation Services (AD FS) (CVE-2020-1055). This cross-site-scripting (XSS) vulnerability exists when AD FS does not properly sanitize user inputs. An unauthenticated attacker could exploit the vulnerability by sending a specially crafted request to an affected AD FS server. When successful, the attacker could then perform cross-site scripting attacks on affected systems and run scripts in the security context of the current user. This security update addresses the vulnerability by ensuring that AD FS properly sanitizes user inputs.
When running virtualized Domain Controllers on top of Hyper-V, then you might be concerned with CVE-2020-0909. However, as per Microsoft recommended practices, Hyper-V hosts should not be placed on network segments that are accessible to non-administrator endpoints.
The three Print Spooler vulnerabilities are also causes for alarm, but I hope that by now everyone has hardened their Domain Controllers by not allowing printer redirection through remote desktop and stopping the spooler service…
ADV200009 May 19, 2020
Microsoft is aware of a vulnerability involving packet amplification that affects Windows DNS servers. An attacker who successfully exploited this vulnerability could cause the DNS Server service to become nonresponsive.
Admins of edge-facing authoritative DNS Servers should enable Response Rate Limit (RRL), using the Set-DnsServerResponseRateLimiting PowerShell Cmdlet.
There is currently no update available to address the vulnerability.
The post On-premises Microsoft Identity-related updates and fixes for May 2020 appeared first on The things that are better left unspoken.