The vulnerability allows a user with restricted permissions to escalate to domain administrator privileges and Microsoft reports that attacks have been seen in the wild. Microsoft has officially stated that "the only way a domain compromise can be remediated with a high level of certainty is a complete rebuild of the domain," so it's critical that all Windows admins apply this patch immediately.
Microsoft recommends first patching domain controllers running Windows Server 2008 R2 or earlier. Next, patch your Windows Server 2012 and later domain controllers. Finally, patch all of your regular systems to ensure complete safety.
Use the following step-by-step instructions showing how to configure FrameFlow Server Monitor to make sure your systems have been patched:
[alert type="custom" icon="fa-download" box_shadow="yes" animation_type="fade" animation_direction="down" animation_speed=".5"]Download FrameFlow Server Monitor Now to Automate Testing for KB3011780 (MS14-068)[/alert]
Step 1: Login into your FrameFlow installation, right click on "Event Monitors" in the tree and choose "Add Event Monitor."
Step 2: Type "file" to filter the list of event monitors and select the "File Event Monitor."
Step 3: Use the "Chooser" button to select the systems you want to check. Ideally you will have already organized your network devices and you'll have a device group that contains all of your domain controllers. If not you can still select the systems individually.
Step 4: In the "File Path" text box enter:
"\[devicename]c$WindowsSoftwareDistributionReportingEvents.log" (without the quotes). Next, turn on the option called "Check the contents of the file." In the text box called "Warn if the file does not contain the text" enter "KB3011780" (again without the quotes). Press the "Apply Changes" button at the bottom and the event monitor will run right away.
Step 5: Click on the "Events" tab to see the result. Ideally all of your systems will show in green with text along the lines of "The text 'KB3011780' was found in the file '\hostnamec$WindowsSoftwareDistributionReportingEvents.log'." If everything is listed in green then the patch has been applied.
Monitoring for patches is just one example of the server monitoring features offered by FrameFlow Server Monitor. If you're not already a FrameFlow user, take our 30-day trial edition for a spin and learn more about how FrameFlow can help you make sure your critical systems are up and running.