MS15-027 (KB3002657) May Cause Patch Scans To Fail With Error 452

Version 5

    Description


    Installing MS15-027 (KB3002657) 'basically' disables NTLM authentication to mitigate the vulnerability described in the Microsoft Security Bulletin.  Installing this patch may cause authentication failures on network machines where Kerberos authentication is disabled and NTLM is used to authenticate Active Directory users.  Shavlik Support has seen evidence of this on the community where a customer installed the patch in his Windows 2003 Servers and was no longer able to scan them after installing the patch.


    According to the Microsoft Security Bulletin, this patch is only required on Domain Controllers.  The following was information was taken directly from the bulletin:  "This update is applicable on server machines running as domain controllers. It is suggested, however, that the update be applied to all affected platforms so that machines are protected if they are promoted to domain controller role in the future."


    More information about the patch can be found here: https://support.microsoft.com/en-us/kb/3002657


    Resolution

     

    The following will allow you to scan the target machines:

    • Define a local security policy on the console machine.  Go to Local Security Policy > Local Policies > Security Options > Network Security: LAN Manager authentication level, if set to "Not Defined", change to the second level "Send LM & NTLM - use NTLMv2 session security if negotiated".
    • Microsoft suggests to use the Kerberos protocol to authenticate Active Directory domain users.
    • Uninstall MS15-027 (KB3002657) from the target machines.
      • Please note:  Uninstall the patch a Domain Controller that requires this patch could leave the server vulnerable.

     

      For additional information on the patch and workarounds, please contact Microsoft directly.

    Affected Products


    Shavlik Protect All Versions

    Shavlik Patch All Versions