Issue: our security scanner (Qualys) tool reported 'Microsoft Improperly Issued Digital Certificates Spoofing Vulnerability (KB2982792)' 'Microsoft Improperly Issued Digital Certificates Spoofing Vulnerability (KB2982792)' in all our windows 2008 R2 servers.
Constrain: Since those servers are corporate internal servers, it is not directly connected to internet.
if it is directly connected to internet, the windows patches would automatically get downloaded and fixed automatically.
Solution: We are using SCCM tool for our patching and followed below steps as solutions
· *Authrootstl.cab: Contains the CTL of
third-party root certificates.
C.Edit this GPO and expand the items as following:
d.
5.The clients will update the registry value when they refresh the group policy.
Constrain: Since those servers are corporate internal servers, it is not directly connected to internet.
if it is directly connected to internet, the windows patches would automatically get downloaded and fixed automatically.
Solution: We are using SCCM tool for our patching and followed below steps as solutions
11)
Apply the hotfix https://support.microsoft.com/en-us/kb/2813430
on clients. (You have done this step)
22)
On your SCCM server or other server which
can connect to Windows Update, create a shared folder.
33)
Run this command line to synchronize a
destination directory with the Windows Update site:
CertUtil -syncWithWU \\computername\sharename\DestinationDir
Note: DestinationDir is
the folder that the files are copied to. When you run the command, the
following files are downloaded from Windows Update:
·
*Disallowedcertstl.cab: Contains the CTL of
disallowed certificates.
·
*Disallowedcert.sst: Contains the Disallowed
certificates.
·
*Thumbprint.crt: Third-party root certificates.
44)
Configure Group policy to change registry
key on all clients:
a. Logon to DC and open GPMC.msc.
b. Create
a GPO and link to domain:
C.Edit this GPO and expand the items as following:
d.
Configure
registry as following:
This
registry key configures share paths to retrieve CTLs.
5.The clients will update the registry value when they refresh the group policy.