Fallout from New Microsoft Security Patch – and How to Fix it
A new security patch from Microsoft could carry frustrating side effects for IT teams who apply it. The patch, identified as MS16-072, secures machines against “man-in-the-middle” attacks. In the process of doing that, however, it may cause issues with an organization’s Group Policy settings and how they’re applied.
With the MS16-072 update, Microsoft purposefully changed the way Group Policies are handled to address “man-in-the-middle” attack vulnerabilities. If left unchecked, cyber criminals could exploit those vulnerabilities to execute unauthorized privilege escalations.
Pre-update, as long as a user account had access to a security policy, that policy would be applied. This took place regardless of whether the computer an individual logged in on had access to that policy. Due to the upgrade, it’s now necessary for both a user account and a computer account to have access to a policy. If they both don’t have access, the policy won’t be applied.
Organizations who haven’t made any changes to the default settings of their Active Directory Group Policy Objects permissions and whose Kerberos authentication is working will be unaffected by this change. On the flip side, organizations who’ve engaged in security filtering in their AD space will have a little bit of work to do to ensure their permissions continue to operate as intended.
Complicating this situation is the fact that the negative impact of the patch may not be immediately evident. Since the change likely will only affect a small number of Group Policies, it could take users or IT considerable time to notice the issue. An alternative scenario could be if none of an organization’s current policies are filtered – leaving the entire slate unaffected. Then, months later, IT releases a new policy and applies a security-filter. All of a sudden, problems begin to surface.
Patch your systems with confidence
Obviously, the benefits of applying the patch outweigh the negatives, so ignoring it simply isn’t an option. What needs to happen for organizations to apply the MS16-072 update with confidence? First, organizations must determine which of their Group Policies may be affected and then they must adjust their settings accordingly. Microsoft laid out how to do this in a recent blog post, which can be found here.
Arraya’s Microsoft team is also ready to assist. Our team has the skills and experience needed to uncover any complications and make the necessary corrections. With our team’s support, IT pros can rest assured their network is secured and the policies they’re laying out are being applied completely.