Solved

Microsoft Security Bulletin MS14-066 - Critical

Posted on 2014-11-19
4
275 Views
Last Modified: 2014-11-25
Vulnerability in Schannel Could Allow Remote Code Execution (2992611)

we are planning to deploy this out of band patch that released yesterday.
before that can I know whether it critical on Domain controllers and less critical on Servers. we will have to plan to patch it accordingly.

If it is critical on DCs, we will do right away. hope it can wait on other server editions for some time.
please confirm.

how about servers in DMZ, how critical in that environment?
0
Comment
Question by:Good
4 Comments
 
LVL 37

Accepted Solution

by:
Neil Russell earned 250 total points
Comment Utility
As with ANY critical patch release, read the info from Microsoft.
https://technet.microsoft.com/en-us/library/security/ms14-066.aspx

This is over a week old now and yesterdays release was version 2 of the fix.  It is rated as critical on an OS basis, not what or where the OS installed.  A windows server is a windows server. AD is a role installed ontop of the server, therefore the server is still an affected server.
0
 

Author Comment

by:Good
Comment Utility
affected OS is windows OS, but if we the component mainly affected is kerberos KDC which is main component of Domain controller?
0
 
LVL 29

Assisted Solution

by:Rich Weissler
Rich Weissler earned 250 total points
Comment Utility
Good,
  Last Tuesday, an out of band announcement was made, and two security bulletins were impacted.
  First, MS14-066, concerning the SChannel update you mentioned originally, was updated.  They pulled back the Windows 2008 R2, and Windows 2012 patch and replaced them because folks were encountering issues with some of the encryption algorithms.  Yes, its bad, but it impacts may servers... not just DCs.
  Second, MS14-068 was released.  This is the one that impacts Kerberos on DCs.  Folks are running around screaming because apparently there are limited exploits, and I haven't seen that folks are saying that they are 'in the wild' yet.  Yes, install it on your DCs as soon as feasible, after testing of course.  The Microsoft bulletin indicates that it changes a check done by Kerberos, so unless someone is using malformed ticket requests, I don't anticipate problems with the changed code.  (In my testing thus far, I haven't seen any issues.)  The patch is being offered to other systems as well, apparently out of an overabundance of caution.
0

Featured Post

Free book by J.Peter Bruzzese, Microsoft MVP

Are you using Office 365? Trying to set up email signatures but you’re struggling with transport rules and connectors? Let renowned Microsoft MVP J.Peter Bruzzese show you how in this exclusive e-book on Office 365 email signatures. Better yet, it’s free!

Join & Write a Comment

What to do when Windows Update is not working correctly? What tools can I use to detect the cause of the malfunction problem? What does this numeric error code mean? These and other questions that you have been asking in the past are answered here (…
A safe way to clean winsxs folder from your windows server 2008 R2 editions
This tutorial will walk an individual through locating and launching the BEUtility application to properly change the service account username and\or password in situation where it may be necessary or where the password has been inadvertently change…
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles to another domain controller. Log onto the new domain controller with a user account t…

763 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

11 Experts available now in Live!

Get 1:1 Help Now