Executive Summary

Summary
Title Microsoft Security Advisory 3057154
Informations
Name KB3057154 First vendor Publication 2015-07-14
Vendor Microsoft Last vendor Modification 2015-12-08
Severity (Vendor) N/A Revision 1.0

Security-Database Scoring CVSS v3

Cvss vector : N/A
Overall CVSS Score NA
Base Score NA Environmental Score NA
impact SubScore NA Temporal Score NA
Exploitabality Sub Score NA
 
Calculate full CVSS 3.0 Vectors scores

Security-Database Scoring CVSS v2

Cvss vector :
Cvss Base Score Not Defined Attack Range Not Defined
Cvss Impact Score Not Defined Attack Complexity Not Defined
Cvss Expoit Score Not Defined Authentication Not Defined
Calculate full CVSS 2.0 Vectors scores

Detail

Microsoft Security Advisory 3057154

Update to Harden Use of DES Encryption

Published: July 14, 2015 | Updated: December 8, 2015

Version: 1.1

Executive Summary

Microsoft is announcing the availability of an update to harden scenarios in which Data Encryption Standard (DES) encryption keys are used with accounts to ensure that domain users, services, and computers that support other encryption types are not vulnerable to credential theft or elevation of privilege attacks. DES is considered a weak cipher due to well-known brute force and faster than brute force attacks. The cryptographic algorithm has also been removed from the standard [RFC 6649]. To further protect our users, Microsoft has disabled DES by default in Windows 7 and Windows Server 2008 R2 and later operating systems. However, this update does allow DES to be used between client and server to address scenarios in which DES is still required for application compatibility reasons. The improvement is part of ongoing efforts to bolster the effectiveness of encryption in Windows and still support legacy line-of-business (LOB) applications.

The following accounts can never use DES to protect TGTs and service tickets because all Windows domain controllers that support the Kerberos protocol also support at least RC4:

  • krbtgt account
  • Domain controller accounts

In addition, the following accounts cannot use DES to protect TGTs and service tickets unless DES is the only supported encryption type:

  • computer accounts
  • service accounts
  • trust accounts
  • user accounts

For additional details and deployment guidance, see Microsoft Knowledge Base Article 3057154.

Affected Software

Operating System

Windows Server 2003 Service Pack 2

Windows Server 2003 R2 Service Pack 2

Windows Server 2003 x64 Edition Service Pack 2

Windows Server 2003 R2 x64 Edition Service Pack 2

Windows Server 2003 with SP2 for Itanium-based Systems

Windows Vista Service Pack 2

Windows Vista x64 Edition Service Pack 2

Windows Server 2008 for 32-bit Systems Service Pack 2

Windows Server 2008 for x64-based Systems Service Pack 2

Windows Server 2008 for Itanium-based Systems Service Pack 2

Windows 7 for 32-bit Systems Service Pack 1

Windows 7 for x64-based Systems Service Pack 1

Windows Server 2008 R2 for x64-based Systems Service Pack 1

Windows Server 2008 R2 for Itanium-based Systems Service Pack 1

Windows 8 for 32-bit Systems

Windows 8 for x64-based Systems

Windows 8.1 for 32-bit Systems

Windows 8.1 for x64-based Systems

Windows Server 2012

Windows Server 2012 R2

Windows RT

Windows RT 8.1

Server Core installation option

Windows Server 2008 for 32-bit Systems Service Pack 2 (Server Core installation)

Windows Server 2008 for x64-based Systems Service Pack 2 (Server Core installation)

Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation)

Windows Server 2012 (Server Core installation)

Windows Server 2012 R2 (Server Core installation)


Advisory FAQ

What is the scope of the advisory?
To announce the availability of an update to harden scenarios in which Data Encryption Standard (DES) encryption keys are allowed for domain accounts.

What does the update do?
The update allows clients to still access services that use DES without allowing them to use DES with the Kerberos Key Distribution Center (KDC).

Other Information

Microsoft Active Protections Program (MAPP)

To improve security protections for customers, Microsoft provides vulnerability information to major security software providers in advance of each monthly security update release. Security software providers can then use this vulnerability information to provide updated protections to customers via their security software or devices, such as antivirus, network-based intrusion detection systems, or host-based intrusion prevention systems. To determine whether active protections are available from security software providers, please visit the active protections websites provided by program partners, listed in Microsoft Active Protections Program (MAPP) Partners.

Feedback

  • You can provide feedback by completing the Microsoft Help and Support form, Customer Service Contact Us.

Support

  • Customers in the United States and Canada can receive technical support from Security Support. For more information, see Microsoft Help and Support.
  • International customers can receive support from their local Microsoft subsidiaries. For more information, see International Support.
  • Microsoft TechNet Security provides additional information about security in Microsoft products.

Disclaimer

The information provided in this advisory is provided "as is" without warranty of any kind. Microsoft disclaims all warranties, either express or implied, including the warranties of merchantability and fitness for a particular purpose. In no event shall Microsoft Corporation or its suppliers be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages, even if Microsoft Corporation or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply.

Revisions

  • V1.0 (July 14, 2015): Advisory published.
  • V1.1 (December 8, 2015): Advisory updated to include more information about disabling DES by default in Windows 7 and Windows Server 2008 R2 and later operating systems. The update allows DES to be used between client and server to address scenarios in which DES is still required for application compatibility reasons.

Page generated 2015-12-03 13:53Z-08:00.

Original Source

Url : http://www.microsoft.com/technet/security/advisory/3057154.mspx

Alert History

If you want to see full details history, please login or register.
0
Date Informations
2016-04-09 13:21:04
  • First insertion