Solved

Microsoft Security Bulletin MS14-066 - Critical

Posted on 2014-11-19
4
283 Views
Last Modified: 2014-11-25
Vulnerability in Schannel Could Allow Remote Code Execution (2992611)

we are planning to deploy this out of band patch that released yesterday.
before that can I know whether it critical on Domain controllers and less critical on Servers. we will have to plan to patch it accordingly.

If it is critical on DCs, we will do right away. hope it can wait on other server editions for some time.
please confirm.

how about servers in DMZ, how critical in that environment?
0
Comment
Question by:Good
4 Comments
 
LVL 37

Accepted Solution

by:
Neil Russell earned 250 total points
ID: 40453267
As with ANY critical patch release, read the info from Microsoft.
https://technet.microsoft.com/en-us/library/security/ms14-066.aspx

This is over a week old now and yesterdays release was version 2 of the fix.  It is rated as critical on an OS basis, not what or where the OS installed.  A windows server is a windows server. AD is a role installed ontop of the server, therefore the server is still an affected server.
0
 

Author Comment

by:Good
ID: 40454136
affected OS is windows OS, but if we the component mainly affected is kerberos KDC which is main component of Domain controller?
0
 
LVL 30

Assisted Solution

by:Rich Weissler
Rich Weissler earned 250 total points
ID: 40460820
Good,
  Last Tuesday, an out of band announcement was made, and two security bulletins were impacted.
  First, MS14-066, concerning the SChannel update you mentioned originally, was updated.  They pulled back the Windows 2008 R2, and Windows 2012 patch and replaced them because folks were encountering issues with some of the encryption algorithms.  Yes, its bad, but it impacts may servers... not just DCs.
  Second, MS14-068 was released.  This is the one that impacts Kerberos on DCs.  Folks are running around screaming because apparently there are limited exploits, and I haven't seen that folks are saying that they are 'in the wild' yet.  Yes, install it on your DCs as soon as feasible, after testing of course.  The Microsoft bulletin indicates that it changes a check done by Kerberos, so unless someone is using malformed ticket requests, I don't anticipate problems with the changed code.  (In my testing thus far, I haven't seen any issues.)  The patch is being offered to other systems as well, apparently out of an overabundance of caution.
0

Featured Post

Windows Server 2016: All you need to know

Learn about Hyper-V features that increase functionality and usability of Microsoft Windows Server 2016. Also, throughout this eBook, you’ll find some basic PowerShell examples that will help you leverage the scripts in your environments!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

The article will show you how you can maintain a simple logfile of all Startup and Shutdown events on Windows servers and desktops with PowerShell. The script can be easily adapted into doing more like gracefully silencing/updating your monitoring s…
This article explains how to install and use the NTBackup utility that comes with Windows Server.
This tutorial will show how to configure a new Backup Exec 2012 server and move an existing database to that server with the use of the BEUtility. Install Backup Exec 2012 on the new server and apply all of the latest hotfixes and service packs. The…
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles from a Windows Server 2008 domain controller to a Windows Server 2012 domain controlle…

785 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question