Deploying Group Policy Security Update MS16-072 \ KB3163622

My name is Ajay Sarkaria & I work with the Windows Supportability team at Microsoft. There have been many questions on deploying the newly released security update MS16-072.

This post was written to provide guidance and answer questions needed by administrators to deploy the newly released security update, MS16-072 that addresses a vulnerability. The vulnerability could allow elevation of privilege if an attacker launches a man-in-the-middle (MiTM) attack against the traffic passing between a domain controller and the target machine on domain-joined Windows computers.

The table below summarizes the KB article number for the relevant Operating System:

Article # Title Context / Synopsis
MSKB 3163622 MS16-072: Security Updates for Group Policy: June 14, 2016 Main article for MS16-072
MSKB 3159398 MS16-072: Description of the security update for Group Policy: June 14, 2016 MS16-072 for Windows Vista / Windows Server 2008, Window 7 / Windows Server 2008 R2, Windows Server 2012, Window 8.1 / Windows Server 2012 R2
MSKB 3163017 Cumulative update for Windows 10: June 14, 2016 MS16-072 For Windows 10 RTM
MSKB 3163018 Cumulative update for Windows 10 Version 1511 and Windows Server 2016 Technical Preview 4: June 14, 2016 MS16-072 For Windows 10 1511 + Windows Server 2016 TP4
MSKB 3163016 Cumulative Update for Windows Server 2016 Technical Preview 5: June 14 2016 MS16-072 For Windows Server 2016 TP5
TN: MS16-072 Microsoft Security Bulletin MS16-072 - Important Overview of changes in MS16-072
What does this security update change?

The most important aspect of this security update is to understand the behavior changes affecting the way User Group Policy is applied on a Windows computer. MS16-072 changes the security context with which user group policies are retrieved. Traditionally, when a user group policy is retrieved, it is processed using the user's security context.

After MS16-072 is installed, user group policies are retrieved by using the computer's security context. This by-design behavior change protects domain joined computers from a security vulnerability.

When a user group policy is retrieved using the computer's security context, the computer account will now need "read" access to retrieve the group policy objects (GPOs) needed to apply to the user.

Traditionally, all group policies were read if the "user" had read access either directly or being part of a domain group e.g. Authenticated Users

What do we need to check before deploying this security update?

As discussed above, by default "Authenticated Users" have "Read" and "Apply Group Policy" on all Group Policy Objects in an Active Directory Domain.

Below is a screenshot from the Default Domain Policy:

If permissions on any of the Group Policy Objects in your active Directory domain have not been modified, are using the defaults, and as long as Kerberos authentication is working fine in your Active Directory forest (i.e. there are not Kerberos errors visible in the system event log on client computers while accessing domain resources), there is nothing else you need to make sure before you deploy the security update.

In some deployments, administrators may have removed the "Authenticated Users" group from some or all Group Policy Objects (Security filtering, etc.)

In such cases, you will need to make sure of the following before you deploy the security update:

  1. Check if "Authenticated Users" group read permissions were removed intentionally by the admins. If not, then you should probably add those back. For example, if you do not use any security filtering to target specific group policies to a set of users, you could add "Authenticated Users" back with the default permissions as shown in the example screenshot above.

  2. If the "Authenticated Users" permissions were removed intentionally (security filtering, etc), then as a result of the by-design change in this security update (i.e. to now use the computer's security context to retrieve user policies) , you will need to add the computer account retrieving the group policy object (GPO) to "Read" Group Policy (and not "Apply group policy").

    Example Screenshot:

In the above example screenshot, let's say an Administrator wants "User-Policy" (Name of the Group Policy Object) to only apply to the user with name "MSFT Ajay" and not to any other user, then the above is how the Group Policy would have been filtered for other users. "Authenticated Users" has been removed intentionally in the above example scenario.

Notice that no other user or group is included to have "Read" or "Apply Group Policy" permissions other than the default Domain Admins and Enterprise Admins. These groups do not have "Apply Group Policy" by default so the GPO would not apply to the users of these groups & apply only to user "MSFT Ajay"

What will happen if there are Group Policy Objects (GPOs) in an Active Directory domain that are using security filtering as discussed in the example scenario above?

Symptoms when you have security filtering Group Policy Objects (GPOs) like the above example and you install the security update MS16-072:

  • Printers or mapped drives assigned through Group Policy Preferences disappear.
  • Shortcuts to applications on users' desktop are missing
  • Security filtering group policy does not process anymore
  • You may see the following change in gpresult: Filtering: Not Applied (Unknown Reason)
  • If you are using Folder Redirection and the Folder Redirection group policy removal option is set to “Redirect the folder back to the user profile location when policy is removed,” the redirected folders are moved back to the client machine after installing this security update
What is the Resolution?

Simply adding the "Authenticated Users" group with the "Read" permissions on the Group Policy Objects (GPOs) should be sufficient. Domain Computers are part of the "Authenticated Users" group. "Authenticated Users" have these permissions on any new Group Policy Objects (GPOs) by default. Again, the guidance is to add just "Read" permissions and not "Apply Group Policy" for "Authenticated Users"

What if adding Authenticated Users with Read permissions is not an option?

If adding "Authenticated Users" with just "Read" permissions is not an option in your environment, then you will need to add the "Domain Computers" group with "Read" Permissions. If you want to limit it beyond the Domain Computers group: Administrators can also create a new domain group and add the computer accounts to the group so you can limit the "Read Access" on a Group Policy Object (GPO). However, computers will not pick up membership of the new group until a reboot. Also keep in mind that with this security update installed, this additional step is only required if the default "Authenticated Users" Group has been removed from the policy where user settings are applied.

Example Screenshots:

Now in the above scenario, after you install the security update, as the user group policy needs to be retrieved using the system's security context, (domain joined system being part of the "Domain Computers" security group by default), the client computer will be able to retrieve the user policies required to be applied to the user and the same will be processed successfully.

How to identify GPOs with issues:

In case you have already installed the security update and need to identify Group Policy Objects (GPOs) that are affected, the easy way is just to do a simple gpupdate /force on a Windows client computer and then run the gpresult /h new-report.html -> Open the new-report.html and review for any errors like: "Reason Denied: Inaccessible, Empty or Disabled"

What if there are lot of GPOs?

A script is available which can detect all Group Policy Objects (GPOs) in your domain which may have the “Authenticated Users” missing “Read” Permissions
You can get the script from here: https://gallery.technet.microsoft.com/Powershell-script-to-cc281476

Pre-Reqs:

  • The script can run only on Windows 7 and above Operating Systems which have the RSAT or GPMC installed or Domain Controllers running Windows Server 2008 R2 and above
  • The script works in a single domain scenario.
  • The script will detect all GPOs in your domain (Not Forest) which are missing “Authenticated Users” permissions & give the option to add “Authenticated Users” with “Read” Permissions (Not Apply Group Policy). If you have multiple domains in your Active Directory Forest, you will need to run this for each domain.
    • Domain Computers are part of the Authenticated Users group
  • The script can only add permissions to the Group Policy Objects (GPOs) in the same domain as the context of the current user running the script. In a multi domain forest, you must run it in the context of the Domain Admin of the other domain in your forest.

Sample Screenshots when you run the script:

In the first sample screenshot below, running the script detects all Group Policy Objects (GPOs) in your domain which has the “Authenticated Users” missing the Read Permission.

image

If you hit “Y”, you will see the below message:

image

What if there are AGPM managed Group Policy Objects (GPOs)?

Follow the steps below to add “Authenticated Users” with Read Permissions:

To change the permissions for all managed GPO's and add Authenticated Users Read permission follow these steps:

Re-import all Group Policy Objects (GPOs) from production into the AGPM database. This will ensure the latest copy of production GPO's.

clip_image002[1]

clip_image004[1]

Add either “Authenticated Users” or “Domain Computers” the READ permission using the Production Delegation Tab by selecting the security principal, granting the "READ" role then clicking "OK"

clip_image006

Grant the selected security principal the "Read" role.

clip_image008

Delegation tab depicting Authenticated Users having the READ permissions.

clip_image010

Select and Deploy GPOs again:
Note:  To modify permissions on multiple AGPM-managed GPOs, use shift+click or ctrl+click to select multiple GPO's at a time then deploy them in a single operation.
CTRL_A does not select all policies.

clip_image012

clip_image014

The targeted GPO now have the new permissions when viewed in AD:

clip_image016

Below are some Frequently asked Questions we have seen:

Frequently Asked Questions (FAQs):

Q1) Do I need to install the fix on only client OS? OR do I also need to install it on the Server OS?

A1) It is recommended you patch Windows and Windows Server computers which are running Windows Vista, Windows Server 2008 and newer Operating Systems (OS), regardless of SKU or role, in your entire domain environment. These updates only change behavior from a client (as in "client-server distributed system architecture") standpoint, but all computers in a domain are "clients" to SYSVOL and Group Policy; even the Domain Controllers (DCs) themselves

Q2) Do I need to enable any registry settings to enable the security update?

A2) No, this security update will be enabled when you install the MS16-072 security update, however you need to check the permissions on your Group Policy Objects (GPOs) as explained above

Q3) What will change in regard to how group policy processing works after the security update is installed?

A3) To retrieve user policy, the connection to the Windows domain controller (DC) prior to the installation of MS16-072 is done under the user's security context. With this security update installed, instead of user's security context, Windows group policy clients will now force local system's security context, therefore forcing Kerberos authentication

Q4) We already have the security update MS15-011 & MS15-014 installed which hardens the UNC paths for SYSVOL & NETLOGON & have the following registry keys being pushed using group policy:

  • RequirePrivacy=1
  • RequireMutualAuthentication=1
  • RequireIntegrity=1

Should the UNC Hardening security update with the above registry settings not take care of this vulnerability when processing group policy from the SYSVOL?

A4) No. UNC Hardening alone will not protect against this vulnerability. In order to protect against this vulnerability, one of the following scenarios must apply: UNC Hardened access is enabled for SYSVOL/NETLOGON as suggested, and the client computer is configured to require Kerberos FAST Armoring

– OR –

UNC Hardened Access is enabled for SYSVOL/NETLOGON, and this particular security update (MS16-072 \ KB3163622) is installed

Q5) If we have security filtering on Computer objects, what change may be needed after we install the security update?

A5) Nothing will change in regard to how Computer Group Policy retrieval and processing works

Q6) We are using security filtering for user objects and after installing the update, group policy processing is not working anymore

A6) As noted above, the security update changes the way user group policy settings are retrieved. The reason for group policy processing failing after the update is installed is because you may have removed the default "Authenticated Users" group from the Group Policy Object (GPO). The computer account will now need "read" permissions on the Group Policy Object (GPO). You can add "Domain Computers" group with "Read" permissions on the Group Policy Object (GPO) to be able to retrieve the list of GPOs to download for the user

Example Screenshot as below:

Q7) Will installing this security update impact cross forest user group policy processing?

A7) No, this security update will not impact cross forest user group policy processing. When a user from one forest logs onto a computer in another forest and the group policy setting "Allow Cross-Forest User Policy and Roaming User Profiles" is enabled, the user group policy during the cross forest logon will be retrieved using the user's security context.

Q8) Is there a need to specifically add "Domain Computers" to make user group policy processing work or adding "Authenticated Users" with just read permissions should suffice?

A8) Yes, just adding "Authenticated Users" with Read permissions should suffice. If you already have "Authenticated Users" added with at-least read permissions on a GPO, there is no further action required. "Domain Computers" are by default part of the "Authenticated Users" group & user group policy processing will continue to work. You only need to add "Domain Computers" to the GPO with read permissions if you do not want to add "Authenticated Users" to have "Read"

Thanks,

Ajay Sarkaria

Supportability Program Manager – Windows

Edits:
6/29/16 – added script link and prereqs
7/11/16 – added information about AGPM
8/16/16 – added note about folder redirection