Sponsored by..

Wednesday, 11 July 2007

MS07-039 clarification

Yesterday was Patch Tuesday, and amongst the usual load of vulnerabilities was MS07-039 - Vulnerability in Windows Active Directory Could Allow Remote Code Execution (926122) - however in this case Microsoft are a little vague about exactly which servers are impacted, referring only to "Active Directory Servers".

Well, what are Active Directory Servers? If you're running an AD environment then all servers are members servers of Active Directory. Does these mean that all servers needs patching, or is it restricted to Domain Controller (DC) and Global Catalog (GC) servers only? Patching DCs and GCs isn't too big a deal.. patching all servers for MS07-039 would be a nightmare.

One the clue is in Knowledgebase article 926122 which explains that this really is limited to servers performing the DC/GC role:

A hotfix was created to work around a problem in which the domain controller has to be restarted to let users renew their certificates. However, this hotfix let any user renew a certificate. This security update includes a hotfix to modify this behavior. After you install this security update, authentication is required for certificate renewal.

After you install this security update, only domain administrators and network administrators can renew certificates. Also, an administrator cannot delegate the right to renew certificates.

For such a critical vulnerability, Microsoft's wording is particularly vague. It does seem that it doesn't apply to member servers, but just to Domain Controllers (including Global Catalog servers, FSMO servers etc). These are critical servers, so you should patch them soon before the bad guys get to them.

No comments: