KB5008383 - Can see event 3051,3054,3056,3047 and 3049 - What to do next to fix before enforcement

Danish Anwar 21 Reputation points
2023-03-28T09:39:07.1166667+00:00

Hello,

In my env I can see event 3051,3054,3056,3047 and 3049 logged.

Post enforcement after April 11 2023 these will cause issue we understand.

But now what do to fix them before enforcement that path is not clear. What changes to made on the identified accounts? How to identify what extra permission account have based on text in event ID?

Active Directory
Active Directory
A set of directory-based technologies included in Windows Server.
6,807 questions
Windows Server Security
Windows Server Security
Windows Server: A family of Microsoft server operating systems that support enterprise-level management, data storage, applications, and communications.Security: The precautions taken to guard against crime, attack, sabotage, espionage, or another threat.
1,885 questions
0 comments No comments
{count} votes

1 answer

Sort by: Most helpful
  1. Limitless Technology 44,546 Reputation points
    2023-03-29T11:24:17.4966667+00:00

    Hello,

    As especified in the official article, you should perform the next actions to enforce the measures:

    After installing CVE-2021-42291, characters 28 and 29 of the dSHeuristics attribute control the behavior of the update. The dSHeuristics attribute exists within each Active Directory forest and contains settings for the entire forest. The dSHeuristics attribute is an attribute of the "CN=Directory Service,CN=Windows NT,CN=Services,CN=Configuration,<Domain>" object.

    See for more information: https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-adts/e5899be4-862e-496f-9a38-33950617d2c5 and https://learn.microsoft.com/en-us/windows/win32/adschema/a-dsheuristics

    Then you need to modify the Character 28 in the chain with:

    1: Enforcement mode is enabled. This prevents users without domain administrator rights from setting the securityDescriptor or other attributes to values that might grant excessive permissions on computer-derived AD objects. An event is also logged when this occurs.

    And the Character 29:

    1: Enforcement mode is enabled. This prevents users without domain administrator rights from setting the securityDescriptor to values that might grant excessive permissions on existing computer-derived AD objects. An event is also logged when this occurs.

    In Summary, the characters to modify should be:

    10th char: Must be set to 1 if the dSHeuristics attribute is at least 10 characters

    20th char: Must be set to 2 if the dSHeuristics attribute is at least 20 characters

    28th char: Must be set to 1 to enable Enforcement mode for Additional AuthZ verification

    29th char: Must be set to 1 to enable Enforcement mode for temporary Implicit Ownership removal

    Reference: https://support.microsoft.com/en-gb/topic/kb5008383-active-directory-permissions-updates-cve-2021-42291-536d5555-ffba-4248-a60e-d6cbc849cde1

    --If the reply is helpful, please Upvote and Accept as answer--


Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.