Windows Server

Microsoft is investigating LSASS memory leaks (caused by Windows Server updates released during the November Patch Tuesday) that might lead to freezes and restarts on some domain controllers.

LSASS (short for Local Security Authority Subsystem Service) is responsible for enforcing security policies on Windows systems, and it handles access token creation, password changes, and user logins.

If this service crashes, logged-in users immediately lose access to Windows accounts on the machine, and they’re shown a system restart error followed by a system reboot.

“LSASS might use more memory over time and the DC might become unresponsive and restart,” Microsoft explains on the Windows Health dashboard.

“Depending on the workload of your DCs and the amount of time since the last restart of the server, LSASS might continually increase memory usage with the up time of your server and the server might become unresponsive or automatically restart.”

Redmond says that out-of-band Windows updates pushed out to address authentication problems on Windows domain controllers might also be affected by this known issue.

The complete list of affected Windows versions includes Windows Server 2019, Windows Server 2016, Windows Server 2012 R2, Windows Server 2012, Windows Server 2008 R2 SP1, and Windows Server 2008 SP2.

Microsoft is working on a resolution and says it will provide an update with an upcoming release.

Workaround available

Until a fix is available to address this LSASS memory leak issue, the company also provides a temporary solution to allow IT admins to work around domain controller instability. 

This workaround requires admins to set the KrbtgtFullPacSignature registry key (used to gate CVE-2022-37967 Kerberos protocol changes) to 0 using the following command:

reg add "HKLMSystemCurrentControlSetservicesKDC" -v "KrbtgtFullPacSignature" -d 0 -t REG_DWORD

“Once this known issue is resolved, you should set KrbtgtFullPacSignature to a higher setting depending on what your environment will allow,” Microsoft added.

“It is recommended to enable Enforcement mode as soon as your environment is ready. For more information on this registry key, please see KB5020805: How to manage Kerberos protocol changes related to CVE-2022-37967.”

In March, Redmond addressed another known issue leading to Windows Server domain controller reboots due to LSASS crashes.

Earlier this month, Microsoft fixed domain controller sign-in failures and other authentication problems also caused by November Patch Tuesday Windows updates with emergency out-of-band (OOB) updates.

Source: www.bleepingcomputer.com