Solved

Microsoft Security Bulletin MS14-066 - Critical

Posted on 2014-11-19
4
281 Views
Last Modified: 2014-11-25
Vulnerability in Schannel Could Allow Remote Code Execution (2992611)

we are planning to deploy this out of band patch that released yesterday.
before that can I know whether it critical on Domain controllers and less critical on Servers. we will have to plan to patch it accordingly.

If it is critical on DCs, we will do right away. hope it can wait on other server editions for some time.
please confirm.

how about servers in DMZ, how critical in that environment?
0
Comment
Question by:Good
4 Comments
 
LVL 37

Accepted Solution

by:
Neil Russell earned 250 total points
ID: 40453267
As with ANY critical patch release, read the info from Microsoft.
https://technet.microsoft.com/en-us/library/security/ms14-066.aspx

This is over a week old now and yesterdays release was version 2 of the fix.  It is rated as critical on an OS basis, not what or where the OS installed.  A windows server is a windows server. AD is a role installed ontop of the server, therefore the server is still an affected server.
0
 

Author Comment

by:Good
ID: 40454136
affected OS is windows OS, but if we the component mainly affected is kerberos KDC which is main component of Domain controller?
0
 
LVL 29

Assisted Solution

by:Rich Weissler
Rich Weissler earned 250 total points
ID: 40460820
Good,
  Last Tuesday, an out of band announcement was made, and two security bulletins were impacted.
  First, MS14-066, concerning the SChannel update you mentioned originally, was updated.  They pulled back the Windows 2008 R2, and Windows 2012 patch and replaced them because folks were encountering issues with some of the encryption algorithms.  Yes, its bad, but it impacts may servers... not just DCs.
  Second, MS14-068 was released.  This is the one that impacts Kerberos on DCs.  Folks are running around screaming because apparently there are limited exploits, and I haven't seen that folks are saying that they are 'in the wild' yet.  Yes, install it on your DCs as soon as feasible, after testing of course.  The Microsoft bulletin indicates that it changes a check done by Kerberos, so unless someone is using malformed ticket requests, I don't anticipate problems with the changed code.  (In my testing thus far, I haven't seen any issues.)  The patch is being offered to other systems as well, apparently out of an overabundance of caution.
0

Featured Post

Don't lose your head updating email signatures!

Do your end users still have the wrong email signature? Do email signature updates bore you or fill you with a sense of dread? You can make this a whole lot easier on yourself by trusting an Exclaimer email signature management solution. Over 50 million users do...so should you!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

I don't know if many of you have made the great mistake of using the Cisco Thin Client model with the management software VXC. If you have then you are probably more then familiar with the incredibly clunky interface, the numerous work arounds, and …
The recent Microsoft changes on update philosophy for Windows pre-10 and their impact on existing WSUS implementations.
This tutorial will walk an individual through the steps necessary to enable the VMware\Hyper-V licensed feature of Backup Exec 2012. In addition, how to add a VMware server and configure a backup job. The first step is to acquire the necessary licen…
This Micro Tutorial hows how you can integrate  Mac OSX to a Windows Active Directory Domain. Apple has made it easy to allow users to bind their macs to a windows domain with relative ease. The following video show how to bind OSX Mavericks to …

895 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

14 Experts available now in Live!

Get 1:1 Help Now