Description
Installing MS15-027 (KB3002657) 'basically' disables NTLM authentication to mitigate the vulnerability described in the Microsoft Security Bulletin. Installing this patch may cause authentication failures on network machines where Kerberos authentication is disabled and NTLM is used to authenticate Active Directory users. Shavlik Support has seen evidence of this on the community where a customer installed the patch in his Windows 2003 Servers and was no longer able to scan them after installing the patch.
According to theMicrosoft Security Bulletin, this patch is only required on Domain Controllers. The following was information was taken directly from the bulletin: "This update is applicable on server machines running as domain controllers. It is suggested, however, that the update be applied to all affected platforms so that machines are protected if they are promoted to domain controller role in the future."
More information about the patch can be found here: https://support.microsoft.com/en-us/kb/3002657
Resolution
The following will allow you to scan the target machines:
- Defining a local security policy on the console machine. Go to Local Security Policy > Local Policies > Security Options > Network Security: LAN Manager authentication level, if set to "Not Defined", change to the second level "Send LM & NTLM - use NTLMv2 session security if negotiated".
- Uninstall MS15-027 (KB3002657) from the target machines.
- Please note: Uninstall the patch a Domain Controller that requires this patch could leave the server vulnerable.
- The Microsoft workaround is to use the Kerberos protocol to authenticate Active Directory domain users.
Affected Products
Shavlik Protect All Versions
Shavlik Patch All Versions