BLOG: CVE-2024-38063 - Disabling IPv6 binding = fix - or not?
Dear community, in today's LinkedIn Stream and other social media you might have noticed a recent CVE and the recommendation to disable IPv6 in Windows Server and Windows Client. We are talking about this one: https://msrc.microsoft.com/update-guide/vulnerability/CVE-2024-38063 Reading the advisory carefully, Microsoft, strictly speaking, does not directly recommend disabling (technically remove binding) of IPv6. Citing: "Mitigation refers to a setting, common configuration, or general best-practice, existing in a default state, that could reduce the severity of exploitation of a vulnerability. The following mitigating factors might be helpful in your situation: Systems are not affected if IPv6 is disabled on the target machine." Maybe I am a bit nitpicking here about old experiences and would greatly appreciate a refreshed Microsoft statement on the disablement (unbinding) of IPv6 and the side-effects in 2024. What we have learned in the past - do no disable IPv6 easily. - yes, you can face issues with IPv6 being on by default and unexpected or misconfiguration. Often caused by DHCPv6, especially in the combination of critical domain controllers, Dual Stack ISPs and SoHo routers messing up your DNS. What's the fuss about IPv6? I am not actively using it in corporate / at home. IPv6 is being used in Windows. More specifically non-routable fe80 addresses and loopback ::1 for internal purposes of Windows or other software. One may complain use cases are - unrightfully - not well and transparent documented. Have a read in the past Here are some references that Copilot brings up. Trust my memory, I've read more like this. https://techcommunity.microsoft.com/t5/core-infrastructure-and-security/ipv6-for-the-windows-administrator-why-you-need-to-care-about/ba-p/256251 https://community.spiceworks.com/t/is-it-a-bad-practice-to-disabe-ipv6/781811/9 https://learn.microsoft.com/en-us/troubleshoot/windows-server/networking/configure-ipv6-in-windows My personal conclusion Hold on, we need patches for this CVE, but we should not disable IPv6 easily. Please disable IPv6 temporarily, when you cannot patch this CVE immediately / in time. Take notes which system you have had to disable and consider re-enabling once patches have been tested and applied. If you are using IPv6 knowingly, note the NIC configs. They will be lost when using static settings rather DHCPv6. I am sad to see that NetSec people, undoubtedly experts in their area, jump on the bandwaggon esp. on Social Media to easily disgrace the IPv6 by default enablement of Windows Client and Windows Server, telling you the easier story: "Disable IPv6 and you are good / if you do not need it." Let me counter: You might not know you're "needing it" it in the first place. Whenever you are changing system defaults in Windows, mind that Microsoft and other software vendors may not consider these changes in their testing. And the Crowdstrike Black Friday showed us clearly how outlier system configs and unwell testing goes along. Not very well. IPv6 usage and defaults today One of the most recent example that Microsoft is using IPv6 can be found in the Azure Arc Agent (Connected Machine Agent) changelog: "Better handling when IPv6 local loopback is disabled" source: https://learn.microsoft.com/en-us/azure/azure-arc/servers/agent-release-notes How can I disable IPv6, if required? Many roads led to Rome. Windows + X > Terminal / PowerShell (Admin) #save current NIC config into a simple text file Get-NetAdapterBinding -ComponentID "ms_tcpip6" | where Enabled -eq $true | Out-File $env:temp\original-ipv6-config.txt #disable IPv6 on all adapters Get-NetAdapterBinding -ComponentID "ms_tcpip6" | where Enabled -eq $true | Disable-NetAdapterBinding And how to revert the change? Windows + X > Terminal / PowerShell (Admin) #enable IPv6 on all adapters (mind the text file) Get-NetAdapterBinding -ComponentID "ms_tcpip6" | where Enabled -eq $true | Enable-NetAdapterBinding TL:DR Microsoft is using fe80 addresses and loopback ::1 addresses for internal reasons. IPv6 is preferrably used over IPv4 when it is bound to a network adapter, including said special non- routable addresses. Please disable IPv6 temporarily, when you cannot patch this CVE immediately / in time. Take notes of current config. Please share the word and mind that disabling IPv6 can turn your OS into an outlier system, causing immediate or later issue due lack of testing by Microsoft or other software vendors, assuming the defaults, which is IPv6 being turned on.
Clarification on NTLM Authentication Events (Event ID 4625 & 4624) in SOC Monitoring
Hello, While monitoring authentication events in the SOC, I frequently encounter multiple failed (Event ID: 4625) and successful (Event ID: 4624) login attempts associated with NTLM authentication. Upon investigating the affected machine, I found no active NTFS shares or resources being accessed. Despite this, NTLM events continue to appear in the logs. I’m trying to understand what might be triggering these events. Could this be related to background processes, service accounts, or another NTLM authentication mechanism? Although this is a low-level incident, I’d like to fully grasp the cause to rule out any potential security concerns. I’d appreciate any insights you can provide! Thank you.
Untagged VLAN - Server 2025 Hyper-V
Hi, I have a strage issue and not finding a solution. Using Server 2025 with two node Hyper-V cluster. Most of the machines using VLANs which works fine. Some machines using no VLAN config. Which usually means the "Access VLAN 1" regarding our switch configuration. With Server 2019 this worked fine. With Server 2025 same NIC port, same server/NIC hardware "Untagged" VMs don't get any network connection. If I add a second NIC to the VM "Untagged" the NIC get immidiatly an IP address and has a proper connection. If I remove the first NIC, the second NIC stop working. It looks like something has changed with Server 2025 (maybe already with Server 2022). Do you have any idea what kinde of problem I have found? Thanks JackEdit subnet mask or scope in dhcp server running in windows server - Solved
it's not possible to directly change the subnet mask of an existing DHCP scope in a running Windows DHCP server. Here are the steps: 1. Export the Existing Scope Configuration: Open a command prompt with administrative privileges. Type the following command to export the scope configuration to a text file: netsh dhcp server \\<DHCP_Server_Name> scope <Scope_IP_Address> dump > C:\dhcp.txt 2. Modify the Configuration File: Open the dhcp.txt file in a text editor. Locate the line that specifies the subnet mask (e.g., SubnetMask 255.255.255.0). Change the subnet mask to the desired value. Save the changes to the file. 3. Delete the Old Scope: In the DHCP management console, right-click the scope you want to modify and select "Delete." 4. Import the New Scope: In the command prompt, type the following command to import the modified configuration: netsh exec c:\dhcp.txt 5. Verify the Changes: In the DHCP management console, check if the scope has been re-created with the new subnet mask. Right-click the scope and select "Properties" to confirm the subnet mask change. (Major Point - Ensure that your existing network address and subnet network address remain the same after making changes. If they are not the same, you need to modify the entire network address in the text file. For example, if the original subnet is 255.255.255.0 and the network address is 10.1.10.0, and you change it to 255.255.252.0, then the network address should also be updated to 10.1.8.0. Therefore, you must replace all instances of 10.1.10.0 with 10.1.8.0 in the entire text file (using Ctrl+H for the replacement). Thats it....
DHCP Failover Issue – Standby Server Responding When It Should Not
Hi everyone, I'm encountering an issue with my DHCP failover setup in Hot Standby mode, and I need insights into why the standby server is providing DHCP leases when it shouldn’t. Setup Overview: I manage a network with over 100 sites worldwide, each having a local DHCP server. Each site has a dedicated DHCP server running on the server VLAN. Clients reside on different VLANs, and IP helpers (DHCP relay) are configured on a Checkpoint firewall at each site. The IP helper forwards DHCP requests to: The local DHCP server (primary) in the site's server VLAN. The standby DHCP server (failover), located at an on-premises data center (DC). DHCP servers are configured in Hot Standby mode using Microsoft DHCP Failover. Issue: Despite the Hot Standby configuration, I noticed that my Cisco Meraki dashboard frequently reports a new DHCP server detected, referring to the standby DHCP server, even though the primary DHCP server at the local site is available. Cisco Meraki triggers this alert when it detects DHCPACK packets from the standby DHCP server traversing the local networks. However, in Hot Standby mode, the failover server should only issue leases if the primary server is unreachable. Example: Site-1's primary DHCP server (DHCP-1) has a failover partnership with Failover-1 at the DC. Site-1's connectivity to the DC is stable, yet Cisco Meraki occasionally detects DHCPACK packets from Failover-1, triggering alerts. Troubleshooting Done So Far: Verified that failover mode is correctly set to Hot Standby (not Load Balance). Confirmed that the primary DHCP server is healthy and responding. Checked DHCP logs on both servers but found no clear failover events. Performed packet captures of DHCP traffic, but the results were inconclusive. Investigated whether Checkpoint firewall’s IP helper can prioritize the primary DHCP server, but it appears not to support this functionality. Created a PowerShell script to check for failover-related event logs (Event IDs: 20254 and 20255). This provided better visibility but did not correlate with the Meraki alerts. Questions: Are there any known scenarios where a standby DHCP server in Hot Standby mode might mistakenly issue leases, even when the primary is active? Is there any detailed information on the failover “heartbeat” mechanism between primary and standby servers? I found that it uses TCP port 647, but I couldn’t locate official documentation on the interval and failure conditions. Could failover state synchronization delays cause this behavior? Are there specific logs or PowerShell commands I should check to confirm why the standby server is responding? Is there a way to prevent the standby server from responding unless the primary is truly unreachable (e.g., registry settings, advanced configuration)? Any guidance or troubleshooting steps would be greatly appreciated! Thanks in advance.
Launching EXEs on File Server Slow on Hyper-V Host
We have a Server 2019 Hyper-V host that hosts a Server 2008 file server (yeah, I know, too old) and other virtual machines we use as work stations that access various EXE files on the file server. Recently, (not sure when it's started) launching EXE files stored on the 2008 server from one of the workstations (all on the same host) is getting delayed, sometimes as long as 20-30 seconds. An odd thing is that when you first log on to the work station and run the EXE it starts in what I think is a reasonable time, until now a second launch would be a little faster, I'm assuming due to caching. But not, launching it a second time gets the delay. Other file types seem to be OK. Opening large PDFs, for instance, does not have the problem. Working on a virtual machine hosted on our OTHER, older 2012 R2 Hyper-V host (yeah, again, I know) and going across the network, host to host, to access those same EXE files never has the delay problem. Because of virtual machines the 2012 host not having the problem, I'm thinking there's something on the 2019 host that's been updated. Update history shows KB5052000 installed in February and KB5050182 in January. I see that the January update mentions "Remote Code Execution" but the info seems to be specific to Visual Studio so I'm not sure that would apply. Has anyone seen this behavior or can maybe give me a clue as to where to start even looking? Thanks, Ken
BPA Errors: DNS can't resolve GC, Kerberos, PDC Resource Record, etc.
Hello, I've been poking around this for hours now and could use another set of eyes. This server has been the PDC for quite some time but I discovered the last people that managed this place, didn't demote the old 2008R2 server (thankfully it still existed virtualized). So I was able to do a graceful demotion of that and removed it from the domain. I'm now trying to resolve some other errors in that come up in the BPA scan... All reference DNS and I just can't figure this out. I've been beating head against the wall trying to understand what's happening, This is MS Server Standard 2022 only 1 DC and DNS. (yeah I know, don't get me started, but it's a really small office)... Would love some suggestions. Thanks!BLOG: Windows Server / Azure Local keeps setting Live Migration to 1 - here is why
Affected products: Windows Server 2022, Windows Server 2025 Azure Local 21H2, Azure Local 22H2, Azure Local 23H2 Network ATC Dear Community, I have seen numerous reports from customers running Windows Server 2022 servers or Azure Local (Azure Stack HCI) that Live Migration settings are constantly changed to 1 per Hyper-V Host, as mirrored in PowerShell and Hyper-V Host Settings. The customer previously set the value to 4 via PowerShell, so he could prove it was a different value at a certain time. First, I didn't step into intense research why the configuration altered over time, but the stumbled across it, quite accidently, when fetching all parameters of Get-Cluster. According to an article a LCU back in September 2022 changed the default behaviour and allows to specify the live migrations at cluster level. The new live migration default appears to be 1 at cluster level and this forces to change the values on the Hyper-V nodes to 1 accordingly. In contrast to the commandlet documentation, the value is not 2, which would make more sense. Quite unknown, as not documented in the LCU KB5017381 itself, but only referenced in the documentation for the PowerShell commandlet Get-Cluster. Frankly, none of the aren't areas customers nor partners would check quite regularly to spot any of such relevant feature improvements or changes. "Beginning with the 2022-09 Cumulative Update, you can now configure the number of parallel live migrations within a cluster. For more information, see KB5017381 for Windows Server 2022 and KB5017382 for Azure Stack HCI (Azure Local), version 21H2. (Get-Cluster).MaximumParallelMigrations = 2 The example above sets the cluster property MaximumParallelMigrations to a value of 2, limiting the number of live migrations that a cluster node can participate in. Both existing and new cluster nodes inherit this value of 2 because it's a cluster property. Setting the cluster property overrides any values configured using the Set-VMHost command." Network ATC in Azure Local 22H2+ and Windows Server 2025+: When using Network ATC in Windows Server 2025 and Azure Local, it will set the live migration to 1 per default and enforce this across all cluster nodes. Disregarding the Cluster Settings above or Local Hyper-V Settings. To change the number of live migration you can specify a cluster-wide override in Network ATC. Conclusion: The default values for live migration have been changes. The global cluster setting or Network ATC forcing these down to the Hyper-V hosts based on Windows Server 2022+/ Azure Local nodes and ensure consistency. Previously we thought this would happen after using Windows Admin Center (WAC) when opening the WAC cluster settings, but this was not the initial cause. Finding references: Later the day, as my interest grew about this change I found an official announcement. In agreement to another article, on optimizing live migrations, the default value should be 2, but for some reason at most customers, even on fresh installations and clusters, it is set to 1. TLDR: 1. Stop bothering on changing the Livemigration setting manually or PowerShell or DSC / Policy. 2. Today and in future train your muscle memory to change live migration at cluster level with Get-Cluster, or via Network ATC overrides. These will be forced down quite immediately to all nodes and will be automatically corrected if there is any configuration drift on a node. 3. Check and set the live migration value to 2 as per default and follow these recommendations: Optimizing Hyper-V Live Migrations on an Hyperconverged Infrastructure | Microsoft Community Hub Optimizing your Hyper-V hosts | Microsoft Community Hub 4. You can stop blaming WAC or overeager colleagues for changing the LM settings to undesirable values over and over. Starting with Windows Admin Center (WAC) 2306, you can set the Live Migration Settings at cluster level in Cluster > Settings. Happy Clustering! 😀
