lithnet / ad-password-protection

Active Directory password filter featuring breached password checking and custom complexity rules
MIT License
496 stars 52 forks source link

LSA protected mode working? #83

Closed Alex-Busch closed 2 years ago

Alex-Busch commented 2 years ago

I know that since version [1.0.7236] the support of LSA protected mode should be given. However if I try that, it doesn't succeed. It gives error 577 on load of lithnetpwdf in systemlog. The corresponding log entry in Code Integrity is related to the required VCRuntime. But this is already version 14.32.31332 which is quite up to date. Code Integrity determined that a process (\Device\HarddiskVolume2\Windows\System32\lsass.exe) attempted to load \Device\HarddiskVolume2\Windows\System32\vcruntime140.dll that did not meet the Microsoft signing level requirements. So I wonder if anyone got that running?

Best regards Alex

ryannewington commented 2 years ago

Hi Alex,

We're not seeing this in our environments, but have another open case when a user is seeing this one on of their DCs but not the other. What does the signature on vcruntime140 look like?

image

Can you provide me with some information on the OS version and build number?

Alex-Busch commented 2 years ago

Hi Ryan, thank you for your answer. Sure, here you got some details.

System 1:

Windows 2012R2 Datacenter, german language, running on VMware image The vcruntime details: image image image

System 2:

Windows 2016 Standard, german, running on VMware image vcruntime is same as above.

Original there was an older vcruntime on the systems, which came with vmware tools. As I suspected a connection to that I updated to the latest release, but the issue persists.

Best regards Alex

ryannewington commented 2 years ago

Hi Alex,

I've been able to reproduce this on Server 2012 R2. The issue doesn't seem to appear on Windows Server 2019. I'm still investigating what is going on, but there is definitely something up with that version of c runtime. I'm going to try making a new build and linking it to the latest c runtime. I'm currently having some EV signing certificate issues that I'm trying to sort out with my vendor, so it will be a few days before I have updates on this.

ryannewington commented 2 years ago

An update on this issue - We've been working with Microsoft and have confirmed that Windows Server 2012 R2 and Windows Server 2016 are impacted, and Windows Server 2019+ is not. This appears to be related to a recent change in signing certificate Microsoft have used for the Visual C runtime.

ryannewington commented 2 years ago

We've released a fix to workaround the issue with the Microsoft signing certificate

https://github.com/lithnet/ad-password-protection/releases/tag/v1.0.7242

Alex-Busch commented 2 years ago

Thank you for the update. It's working now as expected. I appreciate your work.