Microsoft Guidance for August 2024 Updates. Why is it so bad?
Posted by lighthills@reddit | sysadmin | View on Reddit | 72 comments
For one issue: Just disable IPV6 for mitigation. Never mind that we always previously said this should not be done and is not supported, untested, unstable and may break X,Y, and Z. No explanation why this is suddenly OK to do this without being supported.
For another issue: Applying this update may cause some DNS problems. Just make sure you don't have "stale data" somewhere in your DNS. Nothing more specific to say on this subject, goodbye!
Past-Indication7921@reddit
Personally I think Microsoft sucks they don't really support anything that I know of
Past-Indication7921@reddit
I love how Microsoft asks if you would like to use the finger print scan to login but they don't show you where to go to do this
aXeSwY@reddit
Microsoft workarounds are mostly flimsy, reason is to mitigate any security risk in the shortest possible time with the easiest step will be disabling that component especially if it's not a wildly adopted feature.
Microsoft needs to take its time preparing the actual hotfix because they may break something while trying to fix another (just like when the print nightmare happened and their fix broke printing in certain scenarios).
systonia_@reddit
this sounds like you still believe that MS has QA
vabello@reddit
MS believes they have QA, and you're speaking to the majority of them in this subreddit.
Nietechz@reddit
We all are free labor QA.
coalsack@reddit
Because security and mitigating risk is not binary and sometimes a workaround or solution is meant to be temporary to slow impact while a more permanent solution is developed.
If disabling IPv6 is not viable for your environment there is probably another work around, isolate those systems on a vlan or something else.
Reverend_Russo@reddit
If the only workaround to a vulnerability is to go 100% against what the vendor (Microsoft) says to do, OR take the system off of your network. That’s pretty fucking stupid without additional context of WHY it’s ok to go against what the vendor VEHEMENTLY advises against.
If this were any other vendor and they told you to blindly disable a product without further explanation, you would not be such a simp about it.
GetITDone37@reddit
It's the Bill Hells used cars of Baltimore method. Look it up on the you tubes and keep the audio to yourself since it's NSFW
BlackV@reddit
no cause OP didnt provide any links
lighthills@reddit (OP)
Domain Name System (DNS)] This update hardens DNS server security to address CVE-2024-37968. If the configurations of your domains are not up to date, you might get the SERVFAIL error or time out.
https://support.microsoft.com/en-us/topic/august-13-2024-kb5041773-os-build-14393-7259-51d25311-99ad-43d3-8373-92b40022b9e1
https://admin.microsoft.com/?ref=MessageCenter/:/messages/MC860722
What you need to do to prepare: To prepare for DNS hardening changes coming in the August 2024 security update, domain owners should ensure the DNS configurations for the domains are up-to-date and there is no stale data related to the domains.
BlackV@reddit
Thanks for the detail
coalsack@reddit
I kind of get the feeling he replied to the wrong person? I think this is the advisory he’s mentioning - https://msrc.microsoft.com/update-guide/vulnerability/CVE-2024-37968
BlackV@reddit
Appreciate the cve
coalsack@reddit
You’re still thinking in binary. I’m making a suggestion and I am not saying it’s the only other solution. It isn’t a “this or that” resolution.
Not to mention I never said “just isolate your domain controllers and DNS server you doughnut it’s not that complicated” so please do not attribute that to me.
However, if your domain controllers are not isolated to their own vLAN; you should really prioritize that.
Overall, take a breath, you’re coming at me for no reason. You’re calling me a wimp because I’m trying to give some guidance to OP?
Find a solution that mitigates the risk as much as possible, keeps your networks running, and is sustainable. There is likely a long term solution coming in the future.
notonyanellymate@reddit
I’ve always disabled IPv6, and for this potential reason too. That’s because I remember the mess of getting IPv4 on Microsoft DOS and OS/2.
I remember someone saying you shouldn’t but they didn’t have a reason why not, and I never tried to find out why it should be left on. Here we are.
heliosfa@reddit
Ah, so you disable IPv4 as well do you given that just as many, if not more, vulnerabilities are found in the IPv4 stack?
notonyanellymate@reddit
Windows had/has a problem of being a virus magnet, more so in the past, as insecure settings were configured out of the box.
Systems managers used to have to harden Windows, by disabling unused services. Other mitigations were needed as well, where possible, to reduce the risk for things that couldn’t be disabled. This has been standard IT security best practice forever.
heliosfa@reddit
Indeed, but you are disabling a necessary service by disabling IPv6. As you are disabling a necessary component in response to this CVE, I’m assuming you disabled IPv4 in response to CVE-2023-23415 last year?
notonyanellymate@reddit
I disabled IPv6 because it wasn’t necessary, your comment is irrational.
heliosfa@reddit
By disabling it you are putting it into an unsupported state. That means it's necessary. Competent "systems managers" don't purposely put their systems into an unsupported state as a routine step.
notonyanellymate@reddit
Where does it say or did it say it was an unsupported state? Why would it be x problem. Not been a problem. Nonsense.
heliosfa@reddit
It's pretty obvious when you read their guidance Microsoft make it clear that "Internet Protocol version 6 (IPv6) is a mandatory part of Windows Vista and Windows Server 2008 and newer versions. We do not recommend that you disable IPv6 or its components. If you do, some Windows components may not function." and that "You cannot completely disable IPv6...".
In other words, you can't completely kill it and taking steps to kill it breaks things.
notonyanellymate@reddit
Oh I see, mandatory recommendations, I guess a reason things work reliably with IPv6 disabled for me is because we may be using Linux instead of the Windows functions that would otherwise fail. Anyway massive sites, zero outages, rock solid reliability.
pdp10@reddit
The NT 3.1 stack was vendored in from Spider Systems in the UK, and based on AT&T Streams, like Apple OpenTransport, but with userland derived from BSD, hence the Berkeley copyright notices. Microsoft seemed to realize in short order, that IP wasn't another check-off item in the feature list like IPX/SPX or SNA. Microsoft quickly wrote an all-new implementation, bumped the WinSock version number, and then backported the same code to Chicago and Windows 3.x.
notonyanellymate@reddit
Microsoft had TCPIP for DOS, it’s came on a couple of discs and it used at least 200kB of your 640kB RAM. For Microsoft OS/2 you had to buy 3rd party products to get TCPIP, and that was for Microsoft LAN Manager, which was their file server before NT.
Interestingly this was around the time Bill Gates wrote his book about the future of computing and didn’t even mention the Internet, despite it being in widespread use in the communication software industry.
lordjedi@reddit
Gates has never been good at predictions. Everyone knows that.
Besides, back then, a T1 was like $1000 per month. My home cable modem had the same speed for 1/10 the cost, but I was also the only one on the block with high speed Internet (because 56k modems were still a thing).
TIL that MS made a TCPIP stack for DOS though. Thanks for that!
notonyanellymate@reddit
Reminded me that we used to remote control PCs over 2400 modems and we couldn’t update to Windows because the PC were simultaneously logging over other serial ports and Windows couldn’t handle it, DESKview could, but DOS apps only. Not sure what devices and connection we were using for Internet connectivity, I managed the Wildcat BBS !
pdp10@reddit
We never managed to get hold of a copy of any Microsoft TCP/IP for DOS -- and we tried. Years later we got the downloadable backported TCP/IP for Windows 3.11, which worked rather well but only for Win16 applications, not DOS or Packet Driver.
The stack we used in production on DOS machines was NCSA Telnet suite plus Packet Drivers for NE2000 or that 3COM equivalent of the NE2000, 3C501, I think. The different stacks and DOS applications of the time used different APIs and it was rarely clear what was compatible with what, unless you sourced them from the same place or had used a given combination before. This became a blocker, for example, to us going with Desqview/X on the DOS 386s, because the matching TCP/IP stack/suite from that vendor doubled the cost at the time.
Microsoft was target fixated on beating AOL, Compuserve, and Prodigy, with their dial-up service MSN, remember? At the time, a lot of national dialup services were leveraging existing X.25 nets and their dial-up PADs. But even wholesale, X.25 nets charge by the segment, so all of these pre-IP services charged by the minute and none of them were flat rate.
Doso777@reddit
Because Microsoft just doesn't test disabling IPv6 anymore so it's generally unsupported. We had issues with our Active Directory DNS because someone disabled IPv6 on the domain controllers.
notonyanellymate@reddit
Maybe if IPv6 was disabled at installation it probably wouldn’t have got a configuration somewhere dependent on it. Based on Exchange breaking and no one really knowing why, other than someone disabled IPv6!
BoltActionRifleman@reddit
Just disable IPv6, there’s a very good chance nothing will break and some things will actually improve.
awit7317@reddit
Only warning I can recall was for Exchange on-prem. Other than that …
Doso777@reddit
Active Directory DNS might also do interesting things when disabling/enabling IPV6 again.
jamesaepp@reddit
This is my anecdote/experience.
I find that when IPv6 is enabled on DC network adapters, they prefer to resolve DNS via ::1 because the v6 stack is preferred over the v4 stack.
What I tend to do in lab/prod environments (where v6 is unused) is setup a quick and dirty powershell script something like
Get-NetAdapterBinding | ? -Property ComponentID -eq "ms_tcpip6" | Disable-NetAdapterBinding, slam that into a GPO, and link it to the Domain Controllers OU.I once noticed that boot times (where I consider boot arriving at the C+A+D prompt) on DCs before/after this GPO went from 2+ minutes to under 30 seconds.
DeadEyePsycho@reddit
If you are going to disable IPv6, you're supposed to it via a registry key instead of disabling on the adapters. It keeps ::1 functional. https://learn.microsoft.com/en-us/troubleshoot/windows-server/networking/configure-ipv6-in-windows
jamesaepp@reddit
I remember looking this up before and registry changes were against MS's advice, but I don't know if I want to go through all that effort again.
I'm not even sure why disabling the IPv6 component on the network adapters fixes/fixed what I laid out above - in theory ::1 is still accessible so I don't really understand why the DNS "stack" works any differently.
DeadEyePsycho@reddit
They don't recommend it in general but the bottom of that KB says the adapter method isn't supported at all. I timed before and after setting the key on a DC and it was a very minimal change if any, both reboots were about 60 seconds.
jamesaepp@reddit
Maybe something else explains my symptoms/experiences then, I don't know.
rose_gold_glitter@reddit
I don't use on prem any-more but back when I did, it absolutely caused issues to disable IPv6 on Exchange. What's more - Exchange is generally exposed to the internet, too. So fun times for people using that, I guess.
heliosfa@reddit
Every where I’ve had it deployed, IPv6 has improved user experience because a lot of stuff users are doing is cloud hosted these days, and much of that is IPv6 enabled. Less latency = better UX = happier and more productive users.
Old_Acanthaceae5198@reddit
MS has a huge surface to patch. They must prioritize at points.
This is mitigation until it can be corrected.
ReputationNo8889@reddit
They could divert dev resources to propperly secure their systems instead of developing AI Ultra +
_WirthsLaw_@reddit
But but but… AI Ultra+ has been promised to increase shareholder value! QA and support of existing products don’t!
-every shareholder
ReputationNo8889@reddit
Never mind that the whole value proposition for AI is that its a gold rush, fueled by investors and not acutally something usefull
Fallingdamage@reddit
People who dont believe in scavenging dont understand DNS well enough.
onemanparty72@reddit
I don't see it referred to in this thread (apologies if I missed it), but FCA162 in the Megathread contacted support and received a response: https://www.reddit.com/r/sysadmin/comments/1eqziiy/comment/li8dwvg/?utm_source=share&utm_medium=web3x&utm_name=web3xcss&utm_term=1&utm_content=share_button
southceltic@reddit
Months ago, I read here on Reddit that IPv6 in Windows should NOT be disabled, that disabling it is NOT supported and NOT recommended, etc., etc., etc.
For 24 years, I had lived very (very) peacefully by simply unchecking the “IPv6 Protocol” box in my network adapters and not thinking about it anymore.
Then, after the advice of the enlightened geniuses on Reddit, I tried re-enabling it and studying IPv6.
Well, considering that my country was one of the first in the world to purchase large blocks of IPv4 addresses and therefore IPv6 practically doesn’t exist here, I have to say it was a great waste of time and peace of mind. IPv6 is a pain in the neck. I hope to retire before such a hassle affects me.
Tduck91@reddit
Unchecking the box doesn't fully disable it, and normally doesn't cause issues. If you kill it in the registry it will be fully disable, and you "might" have issues. We have a few things that required it to be dead dead and never had any other problems.
ka-splam@reddit
RTFM:
orion3311@reddit
That IPV6 thing is the greatest thing ever - "We've never tested what would happen it you didn't use IPV6, nevermind that we're a billion (trillion?) dollar company and the janitor could test it for us."
whatsforsupa@reddit
Microsoft broke the Windows Update API with a patch in June, so if you use powershell to do updates, it has had some issues.
One of their suggestions to resolve was to install an update that came out after July 25th lol
Update broken? Just update, that will fix it!
Secret_Account07@reddit
So this is a weird week for our patching schedule. Happens occasionally with patch today and our schedule.
Are the updates borked? We haven’t pushed to test yet so I guess I’ll find out eventually.
MS has actually been on a good steak for servers updated recently, for our org at least.
TheWino@reddit
Had a user who was having issues with his wifi. Had to uninstall the driver and reinstall. Worked fine after.
skipITjob@reddit
Could you have done a network reset?
TheWino@reddit
I tried that didn’t work. Didn’t try a flush dns though. If it happens to other machines I’ll give flush dns a try.
Ruben_NL@reddit
Rebooting also clears the dns cache. So that probably wouldn't have helped.
TheWino@reddit
Problem continued after a few reboots.
Reverent@reddit
Did you try running
/sfc scannow?Googol20@reddit
I've had ipv6 disabled without issues for years almost a decade
SpongederpSquarefap@reddit
If you have it enabled, but V6 is totally blocked on your network, it's still disabled
I'd guess most places are like this tbh
Morph707@reddit
Heard a lot of companies doing that.
vabello@reddit
I find disabling IPv6 has a side effect of breaking all network connectivity over IPv6. That doesn't seem like a great solution. There are actually networks that don't run IPv4 at all and just use NAT64 and DNS64, albeit not a lot.
vabello@reddit
I recently had a support case open with Microsoft. I had to literally drag the details out of the Microsoft employee because their terse responses could be interpreted in so many ways and didn't take into account a myriad of things.
cjcox4@reddit
IPv6 is fundamentally broken in Windows. AFAIK, no full proof solution apart from disabling. I've never seen an issue doing that. So Microsoft says "don't disable" and they also say, essentially, "leave the exploit path open"... bunch of weirdos.
Been this way forever btw. Easy hackfest. Microsoft should be ashamed.
pdp10@reddit
Not true. First-hop attacks are the same for IPv4 and IPv6, and all rely on the presence of MSAD and hashes. The protocol is only significant if the site has lots of IPv4 security measures (e.g., DHCPguard,
arpwatch, client isolation based on Proxy ARP) but ignores IPv6.cjcox4@reddit
Not if they can be mitigated by default in one case and not in the other. Microsoft's implementation is screwball.
brispower@reddit
agile
zandadoum@reddit
Won’t disabling ip6 break our ad/dc?
jupit3rle0@reddit
Yeah. Don't do it.
lBlazeXl@reddit
Yea not only that, it'll make logging in and loading network files much slower, even if the device itself has it disabled and AD wasn't touched. Alot of users will complain.
jupit3rle0@reddit
No thanks. Just a few months ago I finally figured out the culprit to this weird Exchange on prem hybrid issue whenever IPv6 was disabled. I ended up enabling v6, but setting v4 as the primary route for all domain joined devices. That fixed the issue, and was even recommended my Microsoft only a few months ago. We're still hybrid and there's no way in hell I'm going back to turning off v6. Wtf Microsoft??