Support Support Downloads Knowledge Base Juniper Support Portal Community

Knowledge Base

Search our Knowledge Base sites to find answers to your questions.

Ask All Knowledge Base Sites All Knowledge Base Sites JunosE Defect (KA)Knowledge BaseSecurity AdvisoriesTechnical BulletinsTechnotes Sign in to display secure content and recently viewed articles

[SRX] Integrated User Firewall with Active Directory stops working after Microsoft Update for KB5004442

0

0

Article ID: TSB18250 TECHNICAL_BULLETINS Last Updated: 23 Dec 2021Version: 1.0
Alert Type:
PSN - Product Support Notification
Alert Description:
As part of the hardening changes made to DCOM,  recent Microsoft updates for newer Windows systems will enforce an Authentication-Level of RPC_C_AUTHN_LEVEL_PKT_INTEGRITY or higher for activation.

This level is currently not supported by the SRX and will prevent it to open a WMI communication channel to patched systems.

According to Microsoft KB5004442, the hardening changes will be enabled by default in Q1 2022. The changes can be disabled using a registry key. However, the hardening changes will be permanently enabled with no ability to disable them starting in Q2 2022.

To prevent impact to services provided by the Integrated User Firewall as a result of the hardening changes, actions are required on the SRX in the short and long term timelines.
Risk Risk Description
Medium - Action required within next six months Windows Server administrators may not be the same team that manages network security devices. The update would impact services on the SRX and it may take some time to connect the dots back to this activity.
Impact Impact Description
Medium - Risk of service interruption When connectivity to the DC is severed, all user-identity based traffic will not be allowed through the firewall as SRX will lose visibility of who is authenticated.

Solution:
The short term solution is to disable the hardening changes applied by the Microsoft Update. The steps, which involves changing the value of the registry key RequireIntegrityActivationAuthenticationLevel, can be found in Microsoft's KB article here: https://support.microsoft.com/en-us/topic/kb5004442-manage-changes-for-windows-dcom-server-security-feature-bypass-cve-2021-26414-f1400b52-c141-43d2-941e-37ed901c769c

The longer term solution is to upgrade to a Junos release that will support hardened authentication level. Juniper Networks is currently working on the fix and it's tracked in PR-1637548. This TSB will be updated with the Junos release and ETA when the fix is ready. Please note that as per the KB article, Microsoft announced to remove the ability to disable the higher authentication level requirement in an update in Q2 of 2022. Therefore, a Junos upgrade is mandatory to ensure uninterrupted service with Integrated User Firewall (with AD integration) on the SRX.
 

Related Links

Comment on this article > Affected Products Browse the Knowledge Base for more articles related to these product categories. Select a category to begin.

Getting Up and Running with Junos

Getting Up and Running with Junos Security Alerts and Vulnerabilities Product Alerts and Software Release Notices Problem Report (PR) Search Tool EOL Notices and Bulletins JTAC User Guide Customer Care User Guide Pathfinder SRX High Availability Configurator SRX VPN Configurator Training Courses and Videos End User Licence Agreement Global Search