Windows computers and servers update on a monthly basis. Most of these updates are self-installing and need no other interaction. Sometimes, though, you need to add registry keys to enable or disable additional security settings. I discussed the additional registry keys needed for Spectre and Meltdown protection earlier, but other updates often need additional settings.
One way to learn about these needed registry settings is to read the security bulletin. Your vulnerability scanner might indicate missing protections after it scans your network, too. At times the new registry keys are not part of a security bulletin but part of a security advisory. An advisory is sent when there is no patch released. Advisories often give information about additional protections you need or an upcoming change in updates that will impact your systems.
Blocking unsafe ticket-granting tickets in Windows
In the February updates, for example, advisory ADV190006 pointed out an upcoming change that will impact Active Directory implementations. The advisory notes a change outlined in Knowledge Base article KB4490425 in how Microsoft handles ticket-granting tickets (TGTs). Currently the default configuration when you trust identities from another Active Directory forest lets an attacker in the trusting forest request delegation of a TGT for an identity from the trusted forest.
This unsafe condition impacts Server 2019, Server 2016, Server 2012 R2 and Server 2012. In July 2019, Microsoft will release an update to harden Server 2008 R2 and Server 2008. In the meantime, the advisory gives guidance on how to block unsafe TGT delegation across an incoming trust by setting the netdom flag
EnableTGTDelegation to “no” using the following command.