Microsoft releases security update for new IE zero-day

All I want for Christmas is a new security update to patch a zero day IE exploit …….

Microsoft have today released a new out of band update for an Internet Explorer vulnerability that is currently being abused in the wild. Just in time for all those Admins planning to have some time off and well after any planned change lock out windows have come into effect!

According to a security advisory released, the IE zero-day exploit can allow an attacker to execute malicious code on a user’s computer. An attacker who successfully exploited the vulnerability could gain the same user rights as the current user, and we’re all doing the right thing and NOT granting our users Admin rights, aren’t we!!!!!

In a nice move by Microsoft, for all those IT Admins out there half way out the door for the holiday period, and may not have the time to thoroughly test and deploy the latest hot-fix and cumulative update, the security advisory CVE-2018-8653 also contains workarounds for restricting access to the IE scripting engine, until system administrators can deploy today’s official patch.

Workarounds

The workaround provided by Microsoft, is to simply disable user access to the DLL that is affected (jscript.dll), which is not the default JavaScript engine DLL that Internet Explorer uses (Jscript9.dll). The jscript.dll is only called in a specific manner, in this instance a malicious method, so the workaround  should have minimal impact for general use.

Edit (22/12): Workaround modified slightly by Microsoft (added takeown cmd) and republished, updated below.

Edit (20/12): 15:30 AEDST Microsoft have unpublished the suggested workaround.

Restrict access to JScript.dll For 32-bit systems, enter the following command at an administrative command prompt:

For 64-bit systems, enter the following command at an administrative command prompt:

Impact of Workaround. By default, IE11, IE10, and IE9 uses Jscript9.dll which is not impacted by this vulnerability. This vulnerability only affects certain websites that utilizes jscript as the scripting engine.

How to undo the workaround. For 32-bit systems, enter the following command at an administrative command prompt:


For 64-bit systems, enter the following command at an administrative command prompt:

Windows and NTP

It’s important that Windows time is set correctly – but how Windows time works seems to be a poorly understood area.

In this article, I’ll try to clear up the concepts and explain what is, in my opinion, the best way to implement time services throughout your domain(s).

Background

  • Windows, by default, will automatically set its time from the domain controller which holds the FSMO role “PDC emulator”
  • In a multi-domain environment, the PDCe in the forest root domain is the overall master
  • Port 123 (NTP) is used for all communications
  • All other DC’s will, by default, look for the PDCe as their time source. There is no need to set anything here unless something has gone wrong.
  • All workstations will, by default, look for the PDCe as their time source. There is no need to set anything here unless something has gone wrong.
  • Windows 2016 time service offers (optionally) more accurate time services than previous versions – https://docs.microsoft.com/en-us/windows-server/networking/windows-time-service/accurate-time

Setting up NTP on the PDCe

I strongly recommend utilising group policy to set up NTP on your PDC emulator, not the command line. Using a group policy makes the settings a) obvious and b) easily transportable to new DC’s as your migrate upgrade in the future

  • Create a new GPO, I name mine “Domain Controller – Set NTP on PDCe”
    • Narrow it down to your PDCe by either
      • Removing “authenticated users” and adding your current PDCe (This will need to be manually updated if/when the PDCe role moves)
      • Utilising the WMI query “Select * from Win32_ComputerSystem where DomainRole = 5” (This will auto-update when the PDCe moves)
    • Set the following within the group policy
      • Computer Configuration > Administrative Templates > System > Windows Time Service > Time Providers
      • Enable Windows NTP Client: Enabled
      • Enable Windows NTP Server: Enabled
      • Configure Windows NTP Client: Enabled
        • NtpServer: <YourExternalNTPServer1>,0x1 <YourExternalNTPServer2>,0x1 (for Adelaide based clients, i used ntp.internode.on.net and ntp.adelaide.edu.au – a local ISP and a local University – but these could be any publicly available NTP server)
        • Type: NTP
        • CrossSiteSyncFlags: 2
        • ResolvePeerBackoffMinutes: 15
        • Resolve Peer BAckoffMaxTimes: 7
        • SpecilalPoolInterval: 3600
        • EventLogFlags: 0

Commands to check status and troubleshoot

  • w32tm /monitor – this exceedingly useful command will show you the status of all DC’s in the domain, where they are configured to get their time source from and their offset from the authoritative time source
  • if a domain controller is having issues
    • w32tm /config /syncfromflags:domhier /update
    • net stop w32time
    • net start w32time
  • w32tm /query /status

Using policy to set clients to look at AD for time

This is the default behaviour of windows – and you should not need to set this, however, for some places I’ve found we have had to

  • Computer Configuration -> Administrative Templates -> System -> Windows Time Service -> Time Providers
    • Configure Windows NTP Client: Enabled
      • NtpServer: <YourDC1>,0x1 <YourDC2>,0x1
      • Type: NTDS5
      • CrossSiteSyncFlags: 2
      • ResolvePeerBackoffMinutes: 15
      • ResolvePeerBackoffMaxTimes: 7
      • SpecilalPoolInterval: 3600
      • EventLogFlags: 0

References

https://docs.microsoft.com/en-us/windows-server/networking/windows-time-service/how-the-windows-time-service-works

https://docs.microsoft.com/en-us/windows-server/networking/windows-time-service/accurate-time

https://blogs.technet.microsoft.com/nepapfe/2013/03/01/its-simple-time-configuration-in-active-directory/

Configure NTP Time Sync using Group Policy