Agencies must patch Windows Server by midnight or unplug
- By Mark Rockwell
- Sep 21, 2020
The Cybersecurity and Infrastructure Security Agency issued an emergency directive to agencies on Sept. 18, calling on them to patch all Windows server operating systems by Sept. 21 to prevent unauthenticated attackers with network access to a domain controller to completely compromise all Active Directory identity services.
Those servers that cannot be patched by 11:59 p.m. Eastern Time on Sept. 21 should be unplugged from networks, CISA said, citing the "widespread presence of the affected domain controllers across the federal enterprise" and the "high potential for a compromise of agency information systems."
The vulnerability, Microsoft said in an August notice on the problem, could allow attackers to elevate their domain privileges within the network without authentications, once they get inside.
If an unauthorized attacker gets control of the identity capabilities at one agency, said CISA, the access could be used to compromise other federal networks.
"CISA has determined that this vulnerability poses an unacceptable risk to the federal civilian executive branch and requires an immediate and emergency action," said the directive.
Microsoft issued a patch for the vulnerability on Aug. 11 and said it plans to issue an additional update in the first quarter of 2021. In an accompanying assessment, the company said it had not seen any exploitation of the vulnerability.
After the software upgrade is in place, CIOs must submit a completion report to CISA by Sept. 23 that states the update has been applied to all affected servers and that newly provisioned and disconnected servers will be patched as required before they are connected to the network.
CISA said it is also keeping an eye on compliance through the Continuous Diagnostics and Mitigation program. Agencies can get support from CDM systems integrators in the effort as well, the agency said.
By Oct. 5, CISA wants to be able to provide a detailed report to the secretary of the Department of Homeland Security and the director of the Office of Management and Budget on the status of the upgrade and issues that remain to be resolved.
This article was first posted to FCW, a sibling site to GCN.
Mark Rockwell is a senior staff writer at FCW, whose beat focuses on acquisition, the Department of Homeland Security and the Department of Energy.
Before joining FCW, Rockwell was Washington correspondent for Government Security News, where he covered all aspects of homeland security from IT to detection dogs and border security. Over the last 25 years in Washington as a reporter, editor and correspondent, he has covered an increasingly wide array of high-tech issues for publications like Communications Week, Internet Week, Fiber Optics News, tele.com magazine and Wireless Week.
Rockwell received a Jesse H. Neal Award for his work covering telecommunications issues, and is a graduate of James Madison University.
Click here for previous articles by Rockwell.
Contact him at [email protected] or follow him on Twitter at @MRockwell4.