Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Wolfgang
Leader
Leader

AD-query failed with Microsoft Windows Server 2022

Hello CheckMates,

with Windows Server 2022 Microsoft changed the default behaviour of the RPC authentication level.

Following this AD-query failed (remote login not possible, access roles not enforced etc.) Available in the knowledgebase is this article

Check Point response to CVE-2021-26414 - "Windows DCOM Server Security Feature Bypass" 

There is a steatment "Check Point R&D is working on a permanent solution for this issue."

Any solutions for this problem or a timeline when available?

Wolfgang

0 Kudos
13 Replies
_Val_
Admin
Admin

There is a workaround in the case. Did you see the link to the MS article in the comments?

0 Kudos
Wolfgang
Leader
Leader

@_Val_ yes, I see. But the solution is to lowering the security on the Microsoft site. I know identity collector is the better solution but at the moment we are using only AD-query.

0 Kudos
JeanMarc_C
Explorer

Are you sure the workaround works on server 2022 as well and not only on previous versions having the update for CVE-2021-26414 ? The MS kb article states that the workaround will not be possible anymore in some times and server 2022 is not listed. So possibly server 2022 is already in this state.

0 Kudos
Wolfgang
Leader
Leader

@JeanMarc_C  yes you're right. With 2022 this does not work. We tried this but AD query  was failing again. Reading again Microsofts knowledgebase article let us realize that it's not supported with 2022 (same as you mentioned). I forgot about it to post here. The solution is to switch to Identity Collector. 

There should be a hint in the documentation that AD query does no more work with domain controller on Microsoft Server 2022.

JozkoMrkvicka
Leader
Leader

AD query on Microsoft Server 2022 wont never work or till Check Point will release the fix?

Kind regards,
Jozko Mrkvicka
Wolfgang
Leader
Leader

Looks like you have to install KB5005619  on Microsoft server 2022 and then you can set the mentioned registry value to disabled. But after Q2 2022 this will be no more available. Have a look at the timeline in KB5004442—Manage changes for Windows DCOM Server Security Feature Bypass (CVE-2021-26414) 

@_Val_ please would you check internal regarding AD query and Microsoft Windows server 2022.

0 Kudos
Royi_Priov
Employee
Employee

Hi @Wolfgang,

Unfortunately, there is no simple fix here to adjust AD Query to work with this security enhancement.

We are still investigating the amount of effort needed here, but I can say it will not take few weeks.

As the SK stated, this is a problem which only AD Query suffers from, and Identity Collector which uses different method for acquiring identities works with no change.

I will revise the SK with the needed info raised on this thread - thanks for sharing.

Thanks,
Royi Priov
Group manager, Identity Awareness R&D
_Val_
Admin
Admin

Thanks Royi, we appreciate the transparency.

0 Kudos
SGInfra
Explorer

Hello,

What solution or workaround would be for Gaia Embedded devices (15xx Appliances)? those don't have option to use Identity Collector.

ID Awareness Screenshot.png

 Thanks,

Raitis Robeznieks

0 Kudos
PhoneBoy
Admin
Admin

Share identities from a gateway that can.
This could even be a two-core VM off to the side running regular Gaia. 

0 Kudos
JeanMarc_C
Explorer

I had a ticket with support for this, and there is an ETA to support server 2022 and the security strengthening according the MS KB for end of January 2022. In the meantime workaround or solution is to work with Identity collector (which is better than AD query), share identities between gateways, or use Identity Agent.

It is however not 100% clear if AD 2022 with the registry key change according MS KB is meant to work or not. In my case, on embedded R77.20, it does not work but change the status of the AD from "internal error" to  "bad credential".

 

0 Kudos
SGInfra
Explorer

Thank You, PhoneBoy for your suggestion.

I have disabled AD Query for all embedded devices, and enabled them to get shared identities from those appliances, that use ID Collector.

Will see, how this will work. I was afraid, that using ID Sharing Identities will not work, it requests/traffic is not processed through GW, that is Identity source. (for example on-site local traffic between separated interfaces/subnets).

Best Regards,

Raitis

 

0 Kudos
Royi_Priov
Employee
Employee

Hi Raitis, @SGInfra 

Identity Sharing mechanism will allow more efficient way to save identities. For example, gateway which handle traffic for specific subnets, will get the identities which are part of this subnet only. This design allows each gateway to receive the needed identities only, and not process unneeded sessions.

Thanks,
Royi Priov
Group manager, Identity Awareness R&D
0 Kudos