ms14-068 is pretty scary and kind of dwarfs it in my mind. From: [email protected] [mailto:[email protected]] On Behalf Of Steven Peck Sent: Tuesday, November 18, 2014 11:54 AM To: [email protected] Subject: Re: [NTSysADM] Problems with the schannel update?
By and large we didn’t have issues with the patch on Windows products, but we have some 3rd party products that do LDAP look ups against our DCs and those all pretty much broke so we had to take it off the DC’s. It stayed on on everything else. With the out of band and the rerelease, we are putting it in our dev and test environments tonight and tomorrow and all of production in the next few days Sent from Windows Mail From: Free, Bob<mailto:[email protected]> Sent: Tuesday, November 18, 2014 11:21 AM To: [email protected]<mailto:[email protected]> https://technet.microsoft.com/en-us/library/security/ms14-066.aspx<https://urldefense.proofpoint.com/v2/url?u=https-3A__technet.microsoft.com_en-2Dus_library_security_ms14-2D066.aspx&d=AAMGaQ&c=hLS_V_MyRCwXDjNCFvC1XhVzdhW2dOtrP9xQj43rEYI&r=TA_mjBT8bS0r8rLrnubGjA&m=ZCo55VIzGTZKTlAJZBu6BRqfJDCdVSQZp0HSyKTBvcI&s=nqrtJsuUB-OR6gSyX_nwjDB7UWNtAXT7uAaVGlesK7Y&e=> V2.0 (November 18, 2014): Bulletin revised to announce the reoffering of the 2992611 update to systems running Windows Server 2008 R2 and Windows Server 2012. The reoffering addresses known issues that a small number of customers experienced with the new TLS cipher suites that were included in the original release. --> Customers running Windows Server 2008 R2 or Windows Server 2012 who installed the 2992611 update prior to the November 18 reoffering should reapply the update. See Microsoft Knowledge Base Article 2992611 for more information. -----Original Message----- From: [email protected]<mailto:[email protected]> [mailto:[email protected]] On Behalf Of Free, Bob Sent: Tuesday, November 18, 2014 11:03 AM To: [email protected]<mailto:[email protected]> Subject: RE: [NTSysADM] Problems with the schannel update? Disclaimer: This is all YMMV, Caveat emptor but I thought I'd share what I dug up. --As I was preparing to send I see the bulletin has been re-released as expected so much of this is likely moot. My understanding is that at least one of the roots of the root of the problem is the new cipher suites that were added at the top of the default priority order and only supported on 8.1 and 2012R2, The new Ciphers included in MS14-066 / KB 2992611: TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 TLS_RSA_WITH_AES_256_GCM_SHA384 TLS_RSA_WITH_AES_128_GCM_SHA256 I started poking around Friday and found it's in the fine print in the security bulletin and the KB below. I think some bulletins / links are being updated as I can't find some of the info I saw Friday 'Update adds new TLS cipher suites and changes cipher suite priorities in Windows 8.1 and Windows Server 2012 R2' - https://urldefense.proofpoint.com/v2/url?u=http-3A__support2.microsoft.com_kb_2929781&d=AAICaQ&c=hLS_V_MyRCwXDjNCFvC1XhVzdhW2dOtrP9xQj43rEYI&r=TA_mjBT8bS0r8rLrnubGjA&m=-VFPlb4m8Kw_JH5V49A_wiBAZVQhtxxoGZfNeVNIwhE&s=8SrNqDPGaGU_Pmt50yxQ1km4JILGOMl7L_RXYuyxehk&e= There's a GPO that I believe is relevant but I haven't had time to test- How to Prioritize Schannel Cipher Suites with Group Policy https://urldefense.proofpoint.com/v2/url?u=http-3A__msdn.microsoft.com_en-2Dus_library_windows_desktop_bb870930-28v-3Dvs.85-29.aspx&d=AAICaQ&c=hLS_V_MyRCwXDjNCFvC1XhVzdhW2dOtrP9xQj43rEYI&r=TA_mjBT8bS0r8rLrnubGjA&m=-VFPlb4m8Kw_JH5V49A_wiBAZVQhtxxoGZfNeVNIwhE&s=xGcNot-gnq5BxzuCLU8jxOnrTiAAYz-Xw12bxMnDo_U&e= Also a lot of background info on the topic here: https://urldefense.proofpoint.com/v2/url?u=http-3A__www.wilderssecurity.com_threads_changing-2Dies-2Dssl-2Dcipher-2Dorder.355446_&d=AAICaQ&c=hLS_V_MyRCwXDjNCFvC1XhVzdhW2dOtrP9xQj43rEYI&r=TA_mjBT8bS0r8rLrnubGjA&m=-VFPlb4m8Kw_JH5V49A_wiBAZVQhtxxoGZfNeVNIwhE&s=sYqOKx1BukIAXuw9Qw1rliSiNeTX6OAz4uT0tG0xvvw&e= You check out the order on a client here here: https://urldefense.proofpoint.com/v2/url?u=https-3A__www.ssllabs.com_ssltest_viewMyClient.html&d=AAICaQ&c=hLS_V_MyRCwXDjNCFvC1XhVzdhW2dOtrP9xQj43rEYI&r=TA_mjBT8bS0r8rLrnubGjA&m=-VFPlb4m8Kw_JH5V49A_wiBAZVQhtxxoGZfNeVNIwhE&s=mqqiX9MzMoeaN9WXocjBHSiJFg0ezqy8eDFmKNijR50&e= >From the GPO help- Determines the cipher suites used by the Secure Socket Layer (SSL). **If this setting is enabled, SSL cipher suites will be prioritized in the order specified** <---understood to be default pre-patch settings. If this setting is disabled or not configured, the factory default cipher suite order will be used. SSL2, SSL3, TLS 1.0 and TLS 1.1 cipher suites: TLS_RSA_WITH_AES_128_CBC_SHA TLS_RSA_WITH_AES_256_CBC_SHA TLS_RSA_WITH_RC4_128_SHA TLS_RSA_WITH_3DES_EDE_CBC_SHA TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA_P256 TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA_P384 TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA_P521 TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA_P256 TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA_P384 TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA_P521 TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA_P256 TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA_P384 TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA_P521 TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA_P256 TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA_P384 TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA_P521 TLS_DHE_DSS_WITH_AES_128_CBC_SHA TLS_DHE_DSS_WITH_AES_256_CBC_SHA TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA TLS_RSA_WITH_RC4_128_MD5 SSL_CK_RC4_128_WITH_MD5 SSL_CK_DES_192_EDE3_CBC_WITH_MD5 TLS_RSA_WITH_NULL_SHA TLS_RSA_WITH_NULL_MD5 TLS 1.2 SHA256 and SHA384 cipher suites: TLS_RSA_WITH_AES_128_CBC_SHA256 TLS_RSA_WITH_AES_256_CBC_SHA256 TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256_P256 TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256_P384 TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256_P521 TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384_P256 TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384_P384 TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384_P521 TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256_P256 TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256_P384 TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256_P521 TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384_P384 TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384_P521 TLS_DHE_DSS_WITH_AES_128_CBC_SHA256 TLS_DHE_DSS_WITH_AES_256_CBC_SHA256 TLS_RSA_WITH_NULL_SHA256 TLS 1.2 ECC GCM cipher suites: TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256_P256 TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256_P384 TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256_P521 TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384_P384 TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384_P521 -----Original Message----- From: [email protected]<mailto:[email protected]> [mailto:[email protected]] On Behalf Of Rod Trent Sent: Monday, November 17, 2014 7:27 AM To: [email protected]<mailto:[email protected]> Subject: RE: [NTSysADM] Problems with the schannel update? Several reports... https://urldefense.proofpoint.com/v2/url?u=http-3A__windowsitpro.com_security_ms14-2D066-2Dmonths-2Dproblem-2Dpatch&d=AAIFaQ&c=hLS_V_MyRCwXDjNCFvC1XhVzdhW2dOtrP9xQj43rEYI&r=TA_mjBT8bS0r8rLrnubGjA&m=euSWtoPm9w6aOJW4SG9MYSZgXyuH05qjnpvfh_n6r9Y&s=imX3Mme12wtdK4MXrIa3K9wF_gx4PCANnTS9GKsHLrc&e= -----Original Message----- From: [email protected]<mailto:[email protected]> [mailto:[email protected]] On Behalf Of Kennedy, Jim Sent: Monday, November 17, 2014 10:10 AM To: [email protected]<mailto:[email protected]> Subject: RE: [NTSysADM] Problems with the schannel update? Not personally but I have seen a good number of reports on it. Amazons AWS got hit pretty hard with it I have heard. -----Original Message----- From: [email protected]<mailto:[email protected]> [mailto:[email protected]] On Behalf Of Michael Leone Sent: Monday, November 17, 2014 10:07 AM To: [email protected]<mailto:[email protected]> Subject: [NTSysADM] Problems with the schannel update? We haven't noticed anything yet. Anybody else? https://urldefense.proofpoint.com/v2/url?u=http-3A__www.zdnet.com_microsoft-2Dwarns-2Dof-2Dproblems-2Dwith-2Dschannel-2Dsecurity-2Dupdate-2D7000035835_-3Fs-5Fcid-3De539-26ttag-3De539-26ftag-3DTRE17cfd61&d=AAIFaQ&c=hLS_V_MyRCwXDjNCFvC1XhVzdhW2dOtrP9xQj43rEYI&r=TA_mjBT8bS0r8rLrnubGjA&m=euSWtoPm9w6aOJW4SG9MYSZgXyuH05qjnpvfh_n6r9Y&s=hZcO4_-oEd-cmYbm4or4LkelfsR6Dbd75CwkW57kD5w&e= PG&E is committed to protecting our customers' privacy. To learn more, please visit http://www.pge.com/about/company/privacy/customer/ PG&E is committed to protecting our customers' privacy. To learn more, please visit http://www.pge.com/about/company/privacy/customer/ PG&E is committed to protecting our customers' privacy. To learn more, please visit http://www.pge.com/about/company/privacy/customer/
