Windows Server 2008 Datacenter ESU Windows Server 2008 Standard ESU Windows Server 2008 Enterprise ESU Windows Server 2008 R2 Enterprise ESU Windows Server 2008 R2 Standard ESU Windows Server 2008 R2 Datacenter ESU Windows Server 2012 ESU Windows Server 2012 R2 ESU Windows 10, version 1607, all editions Windows Server 2016 Windows 10 Home and Pro, version 21H2 Windows 10 Enterprise and Education, version 21H2 Windows 10 IoT Enterprise, version 21H2 Windows 10 Home and Pro, version 22H2 Windows 10 Enterprise Multi-Session, version 22H2 Windows 10 Enterprise and Education, version 22H2 Windows 10 IoT Enterprise, version 22H2 Windows 11 SE, version 21H2 Windows 11 Home and Pro, version 21H2 Windows 11 Enterprise and Education, version 21H2 Windows 11 IoT Enterprise, version 21H2 Windows 11 SE, version 22H2 Windows 11 Home and Pro, version 22H2 Windows 11 Enterprise Multi-Session, version 22H2 Windows 11 Enterprise and Education, version 22H2 Windows 11 IoT Enterprise, version 22H2 Windows Server 2022 Windows 11 Home and Pro, version 23H2 Windows 11 Enterprise and Education, version 23H2 Windows 11 Enterprise Multi-Session, version 23H2 Windows 11 IoT Enterprise, version 23H2 Windows 11 SE, version 24H2 Windows 11 Enterprise and Education, version 24H2 Windows 11 Enterprise Multi-Session, version 24H2 Windows 11 Home and Pro, version 24H2 Windows 11 IoT Enterprise, version 24H2 More...Less
ImportantCertain versions of Microsoft Windows have reached the end of support. Note that some versions of Windows may be supported past the latest OS end date when Extended Security Updates (ESUs) are available. SeeLifecycle FAQ - Extended Security Updatesfor a list of products offering ESUs.
Contents
-
Summary
-
Take action
-
Events added by this update
-
Configurations
-
Frequently asked questions
-
References
Summary
This update addresses a security vulnerability in the Remote Authentication Dial-In User Service (RADIUS) protocol related to MD5 collision problems. Because of weak integrity checks in MD5, an attacker might tamper with packets to gain unauthorized access. MD5 vulnerability makesUser Datagram Protocol (UDP)based RADIUS traffic over the Internet nonsecure against packet forgery or modification during transit.
For more information about this vulnerability, see CVE-2024-3596and the whitepaperRADIUS AND MD5 COLLISION ATTACKS.
NOTE This vulnerability requires physical access to the RADIUS network and the Network Policy Server (NPS). Therefore, customers who have secured RADIUS networks are not vulnerable. Additionally, the vulnerability does not apply when RADIUS communication occurs over VPN.
Take action
To help protect your environment, we recommend enabling the following configurations.For more information, see the Configurations section.
-
Set the Message-Authenticator attribute in Access-Request packets.
Make sure all Access-Request packets include the Message-Authenticator attribute.
-
Verify the Message-Authenticator attribute in Access-Request packets.
Consider enforcing validation of the Message-Authenticator attribute on Access-Request packets. Access-Request packets without this attribute will not be processed.
-
Verify the Message-Authenticator attribute in Access-Request packets if the Proxy-State attribute is present.
Optional:Enable the limitProxyState configuration if enforcing validation of the Message-Authenticator attribute on Access-Request packets cannot be performed. This configuration will validate that Access-Request packets containing the Proxy-State attribute also contain the Message-Authenticator attribute.
-
Verify the Message-Authenticator attribute in RADIUS response packets: Access-Accept, Access-Reject and Access-Challenge.
Enable the requireMsgAuth configuration to enforce dropping the RADIUS response packets from remote servers that lack the Message-Authenticator attribute.
Events added by this update
For more information, see the Configurations section.
The Access-Request packet was dropped because it contained the Proxy-State attribute but lacked the Message-Authenticator attribute. Consider changing the RADIUS client to include the Message-Authenticator attribute. Or, alternatively, add an exception for the RADIUS client by using the limitProxyState configuration.
| Event log | System |
| Event type | Error |
| Event source | NPS |
| Event ID | 4418 |
| Event text | An Access-Request message was received from RADIUS client <ip/name> containing a Proxy-State attribute, but it did not include a Message-Authenticator attribute. As a result, the request was dropped. The Message-Authenticator attribute is mandatory for security purposes. See https://support.microsoft.com/help/5040268 to learn more. |
This is an audit event for Access-Request packets without the Message-Authenticator attribute in presence of Proxy-State. Consider changing the RADIUS client to include the Message-Authenticator attribute. The RADIUS packet will be dropped once the limitproxystate configuration is enabled.
| Event log | System |
| Event type | Warning |
| Event source | NPS |
| Event ID | 4419 |
| Event text | An Access-Request message was received from RADIUS client <ip/name> containing a Proxy-State attribute, but it did not include a Message-Authenticator attribute. The request is currently allowed since the limitProxyState is configured in Audit mode. See https://support.microsoft.com/help/5040268 to learn more. |
This is an Audit event for RADIUS response packets received without the Message-Authenticator attribute at the proxy. Consider changing the specified RADIUS server for the Message-Authenticator attribute. The RADIUS packet will be dropped once the requiremsgauth configuration is enabled.
| Event log | System |
| Event type | Warning |
| Event source | NPS |
| Event ID | 4420 |
| Event text | The RADIUS Proxy received a response from server <ip/name> with a missing Message-Authenticator attribute. Response is currently allowed since the requireMsgAuth is configured in Audit mode. See https://support.microsoft.com/help/5040268 to learn more. |
This event is logged during service start when the recommended settings are not configured. Consider enabling the settings if the RADIUS network is unsecure. For secure networks, these events can be ignored.
| Event log | System |
| Event type | Warning |
| Event source | NPS |
| Event ID | 4421 |
| Event text | RequireMsgAuth and/or limitProxyState configuration is in <Disable/Audit> mode. These settings should be configured in Enable mode for security purposes. See https://support.microsoft.com/help/5040268 to learn more. |
Configurations
This configuration enables the NPS Proxy to start sending the Message-Authenticator attribute in all Access-Request packets. To enable this configuration, use one of the following methods.
Method 1: Use the NPS Microsoft Management Console (MMC)
To use the NPS MMC, follow these steps:
-
Open the NPS user interface (UI) on the server.
-
Open the remote Radius Server Groups.
-
Select Radius Server.
-
Go to Authentication/Accounting.
-
Click to select the The request must contain the Message-Authenticator attribute checkbox.
Method 2: Use the netsh command
To use netsh, run the following command:
netsh nps set remoteserver remoteservergroup = <server group name> address = <server address> requireauthattrib = yes
For more information, see Remote RADIUS Server Group Commands.
This configuration requires the Message-Authenticator attribute in all Access-Request messages and drops the packet if absent.
Method 1: Use the NPS Microsoft Management Console (MMC)
To use the NPS MMC, follow these steps:
-
Open the NPS user interface (UI) on the server.
-
Open Radius Clients.
-
Select Radius Client.
-
Go to Advance Settings.
-
Click to select the Access-Request messages must contain the message-authenticator attribute checkbox.
For more information, see Configure RADIUS Clients.
Method 2: Use netsh command
To use netsh, run the following command:
netsh nps set client name = <client name> requireauthattrib = yes
For more information, see Remote RADIUS Server Group Commands.
This configuration enables the NPS server to drop potential vulnerable Access-Request packets that contain a Proxy-State attribute, but do not include a Message-Authenticator attribute. This configuration supports three modes:
-
Audit
-
Enable
-
Disable
In Audit mode, a warning event (Event ID: 4419) is logged, but the request is still processed. Use this mode to identify the non-compliant entities sending the requests.
Use the netsh command to configure, enable, and add an exception as needed.
-
To configure clients in Audit mode, run the following command:
netsh nps set limitproxystate all = "audit"
-
To configure clients in Enable mode, run the following command:
netsh nps set limitproxystate all = "enable"
-
To add an exception to exclude a client from limitProxystate validation, run the following command:
netsh nps set limitproxystate name = <client name> exception = "Yes"
This configuration enables NPS Proxy to drop potentially vulnerable response messages without the Message-Authenticator attribute.This configuration supports three modes:
-
Audit
-
Enable
-
Disable
InAuditmode, a warning event (Event ID: 4420) is logged, but the request is still processed. Use this mode to identify the non-compliant entities sending the responses.
Use thenetshcommand to configure, enable, and add an exception as needed.
-
To configure servers inAuditmode, run the following command:
netsh nps set requiremsgauthall = "audit"
-
To enable configurations for all servers, run the following command:
netsh nps set limitproxystate all = "enable"
-
To add an exception to exclude a server fromrequireauthmsgvalidation, run the following command:
netsh nps set requiremsgauth remoteservergroup = <remote server group name> address = <server address> exception = "yes"
Frequently asked questions
Check NPS module events for related events. Consider adding exceptions or configuration adjustments for affected clients/servers.
No, the configurations discussed in this article are recommended for unsecured networks.
References
Description of the standard terminology that is used to describe Microsoft software updates
The third-party products that this article discusses are manufactured by companies that are independent of Microsoft. We make no warranty, implied or otherwise, about the performance or reliability of these products.
We provide third-party contact information to help you find technical support. This contact information may change without notice. We do not guarantee the accuracy of this third-party contact information.
SUBSCRIBE RSS FEEDS
Need more help?
Want more options?
Discover Community
Explore subscription benefits, browse training courses, learn how to secure your device, and more.
Microsoft 365 subscription benefits
Microsoft 365 training
Microsoft security
Accessibility center
Communities help you ask and answer questions, give feedback, and hear from experts with rich knowledge.
