Can Windows updates lower your security?
Microsoft has started investigating the latest Patch Tuesday updates deployment, which, according to reports by Windows admins, leads to authentication failures on some Windows services.
Some Windows System Administrators reported that certain group policies were not applying after installing May 2022 Tuesday updates. They were getting “Authentication failed due to a user credentials mismatch” messages.
Even though these updates are intended for Windows 11 and Windows Server 2022 systems, Microsoft confirmed that the problem only triggers after these updates have been installed on Domain Controllers.
In a document posted on Microsoft Build Microsoft explained that the authentication failures might occur for several services including Protected Extensible Authentication Protocol (PEAP), Extensible Authentication Protocol (EAP), Radius, Route, and Remote access Service (RRAS), and Network Policy Server service (NPS).
Furthermore, the company explained that these authentication issues are caused by security updates that address privilege escalation vulnerabilities in Windows Kerberos and Active Directory services. It’s worth saying that the recently patched vulnerability in Microsofts’ Active Directory Domain Services (CVE-2022-26923) has a high severity CVSS score of 8.8. If this vulnerability remains unpatched on your systems it can be exploited by elevating the privileges of a domain admin account. Along with that, the vulnerability in Windows Kerberos (CVE-2022-26931) also has a high severity CVSS 7.5 score.
In order to mitigate issues, Microsoft recommends manually mapping certificates to a machine account in Active Directory and checking Kerberos Operational log to check which domain controller is failing to sign in.
Some System Administrators reported that in order to fix the authentication issues, admins can disable the StrongCertificateBindingEnforcmenet registry key by setting it to 0, which actually sets the Kerberos Distribution Center (KDC) to compatibility mode.