Goto Top

Managing deployment of RBCD-Protected User (CVE-2020-16996)

If you use Protected Users and Resource-Based Constrained Delegation (RBCD), a security vulnerability may exist on Active Directory domain controllers. To learn more about the security vulnerability, see CVE-2020-16996.

Take Action
To protect your environment and prevent outages, you must do the following:
  • Update all devices that host the Active Directory domain controller role by installing the December 8, 2020 Windows update or a later Windows update. Be aware that installing the Windows update does not fully mitigate the security vulnerability. You must perform Step 2.
  • Enable Enforcement mode on all Active Directory domain controllers. Starting with the March 9, 2021 update, Enforcement mode can be enabled on all Windows domain controllers.

Timing of updates
These Windows updates will be released in two phases:
  • The initial deployment phase for Windows updates released on or after December 8, 2020.
  • The enforcement phase for Windows updates released on or after March 9, 2021.

December 8, 2020: Initial Deployment Phase
The initial deployment phase starts with the Windows update released on December 8, 2020 and continues with a later Windows update for the Enforcement phase. These and later Windows updates make changes to Kerberos.

This release:
  • Addresses CVE-2020-16996 (disabled by default).
  • Adds support for the NonForwardableDelegation registry value to enable protection on Active Directory domain controller servers. By default, the value does not exist.

Mitigation consists of the installation of the Windows updates on all devices that host the Active Directory domain controller role and read-only domain controllers (RODCs), and then enabling Enforcement mode.

March 9, 2021: Enforcement Phase
The March 9, 2021 release transitions into the enforcement phase. Enforcement phase enforces the changes to address CVE-2020-16996. Active Directory domain controllers will now be in Enforcement mode unless the enforcement mode registry key is set to 1 (Disabled). If the Enforcement mode registry key is set, the setting will be honored. Going to Enforcement mode requires that all Active Directory domain controllers have the December 8, 2020 update or a later update installed.

Read more


Content-Key: 649609

Url: https://administrator.de/contentid/649609

Printed on: December 4, 2022 at 12:12 o'clock