SharePoint SE November 2022 Updates

The SharePoint SE November 2022 Updates have been released.

Product KB Article
SharePoint Server SE (sts-x-none) https://support.microsoft.com/topic/description-of-the-security-update-for-sharepoint-server-subscription-edition-november-8-2022-kb5002296-f6c47ad6-692f-4617-ae12-9ca05fa96e39
SharePoint Server SE (wssmui) https://support.microsoft.com/topic/description-of-the-security-update-for-sharepoint-server-subscription-edition-language-pack-november-8-2022-kb5002291-cd7749b3-0293-4d70-b836-eabf28ab5995
Office Online Server https://support.microsoft.com/topic/description-of-the-security-update-for-office-online-server-november-8-2022-kb5002276-469f0d34-dcea-44ba-acab-fb9f62a90ba6
Office Updates https://support.microsoft.com/topic/november-2022-updates-for-microsoft-office-e6b5a7c3-6d58-49fc-abf3-bfee61caba68

For all SharePoint updates, visit SharePoint Updates.

SharePoint 2019 November 2022 Updates

The SharePoint 2019 November 2022 Updates have been released.

Product KB Article
SharePoint Server 2019 (sts-x-none) https://support.microsoft.com/topic/description-of-the-security-update-for-sharepoint-server-2019-november-8-2022-kb5002294-858d340d-dbd0-44ff-b2a9-b9105f1b6e77
SharePoint Server 2019 (wssmui) https://support.microsoft.com/topic/description-of-the-security-update-for-sharepoint-server-2019-language-pack-november-8-2022-kb5002295-beb85f7c-23b1-436d-ab37-09fdb26631f9
Office Online Server https://support.microsoft.com/topic/description-of-the-security-update-for-office-online-server-november-8-2022-kb5002276-469f0d34-dcea-44ba-acab-fb9f62a90ba6
Office Updates https://support.microsoft.com/topic/november-2022-updates-for-microsoft-office-e6b5a7c3-6d58-49fc-abf3-bfee61caba68

For all SharePoint updates, visit SharePoint Updates.

Active Directory Non-Critical Attribute Logging

Active Directory has an advanced auditing feature where by a certain set of attributes can be logged to the Security Event Log on Domain Controllers. This setting is enabled via a Group Policy Object. The issue with this audit logging is that it will not log attribute changes to objects that are considered ‘non-critical’. Per the Microsoft documentation on the GPO setting Audit Directory Services Changes:

Some objects and properties do not cause audit events to be generated due to settings on the object class in the schema.

For example, physicalDeliveryOfficeName and l (location) are not logged when changed. However, we can get around this!

The first step is to modify the Default Domain Controller GPO (or a GPO applied to Domain Controllers) by navigating to GPO under Computer Configuration\Policies\Windows Settings\Advanced Audit Policy Configuration\Audit Policies\DS Access and setting Audit Directory Service Changes to Success. Failures are not logged, even if the GPO is set to include them.

active-directory-gpo-ds-auditing

The second step is to add a Domain Group to the object you want to report to the Security Event Log on your Domain Controller(s). Note that the built-in group Everyone will not work. In this example, the group Domain Admins are audited. For your particular scenario, check the object’s security to see which group(s) have write attributes rights.

active-directory-user-audit-security

Once created, using Active Directory Users and Computers or the ADSIEdit MMC, you can modify an attribute like physicalDeliveryOfficeName and monitor the changes on the Domain Controller Security Event Log. Two events with an Event ID of 5136 will be created – one with the old value and a second with the new value. Below is an example of a change from an old value (first event) to a new value (second event).

Log Name:      Security 
Source:        Microsoft-Windows-Security-Auditing
Date:          11/3/2022 7:31:29 PM
Event ID:      5136
Task Category: Directory Service Changes
Level:         Information
Keywords:      Audit Success
User:          N/A
Computer:      WIN-H075793E01J.lab01.cobaltatom.com
Description:
A directory service object was modified.

Subject:
Security ID: LAB01\administrator
Account Name: Administrator
Account Domain: LAB01
Logon ID: 0x38266

Directory Service:
Name: lab01.cobaltatom.com
Type: Active Directory Domain Services

Object:
DN: CN=User01,OU=Test,DC=lab01,DC=cobaltatom,DC=com
GUID: CN=User01,OU=Test,DC=lab01,DC=cobaltatom,DC=com
Class: user

Attribute:
LDAP Display Name: physicalDeliveryOfficeName
Syntax (OID): 2.5.5.12
Value: Building1-Floor1-Office1

Operation:
Type: Value Deleted
Correlation ID: {dc2a2f96-ca0f-433e-99f5-26c38ae92ec8}
Application Correlation ID: -
Event Xml:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
  <System>
    <Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" />
    <EventID>5136</EventID>
    <Version>0</Version>
    <Level>0</Level>
    <Task>14081</Task>
    <Opcode>0</Opcode>
    <Keywords>0x8020000000000000</Keywords>
    <TimeCreated SystemTime="2022-11-04T02:31:29.420923600Z" />
    <EventRecordID>3357</EventRecordID>
    <Correlation />
    <Execution ProcessID="720" ThreadID="844" />
    <Channel>Security</Channel>
    <Computer>WIN-H075793E01J.lab01.cobaltatom.com</Computer>
    <Security />
  </System>
  <EventData>
    <Data Name="OpCorrelationID">{dc2a2f96-ca0f-433e-99f5-26c38ae92ec8}</Data>
    <Data Name="AppCorrelationID">-</Data>
    <Data Name="SubjectUserSid">S-1-5-21-3029060990-3727371411-1592290629-500</Data>
    <Data Name="SubjectUserName">Administrator</Data>
    <Data Name="SubjectDomainName">LAB01</Data>
    <Data Name="SubjectLogonId">0x38266</Data>
    <Data Name="DSName">lab01.cobaltatom.com</Data>
    <Data Name="DSType">%%14676</Data>
    <Data Name="ObjectDN">CN=User01,OU=Test,DC=lab01,DC=cobaltatom,DC=com</Data>
    <Data Name="ObjectGUID">{d1d6e424-7565-44f6-8e27-98d50294ced2}</Data>
    <Data Name="ObjectClass">user</Data>
    <Data Name="AttributeLDAPDisplayName">physicalDeliveryOfficeName</Data>
    <Data Name="AttributeSyntaxOID">2.5.5.12</Data>
    <Data Name="AttributeValue">Building1-Floor1-Office1</Data>
    <Data Name="OperationType">%%14675</Data>
  </EventData>
</Event>

New value:

Log Name:      Security 
Source:        Microsoft-Windows-Security-Auditing
Date:          11/3/2022 7:31:29 PM
Event ID:      5136
Task Category: Directory Service Changes
Level:         Information
Keywords:      Audit Success
User:          N/A
Computer:      WIN-H075793E01J.lab01.cobaltatom.com
Description:
A directory service object was modified.

Subject:
Security ID: LAB01\administrator
Account Name: Administrator
Account Domain: LAB01
Logon ID: 0x38266

Directory Service:
Name: lab01.cobaltatom.com
Type: Active Directory Domain Services

Object:
DN: CN=User01,OU=Test,DC=lab01,DC=cobaltatom,DC=com
GUID: CN=User01,OU=Test,DC=lab01,DC=cobaltatom,DC=com
Class: user

Attribute:
LDAP Display Name: physicalDeliveryOfficeName
Syntax (OID): 2.5.5.12
Value: Building2-Floor2-Office2

Operation:
Type: Value Added
Correlation ID: {dc2a2f96-ca0f-433e-99f5-26c38ae92ec8}
Application Correlation ID: -
Event Xml:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
  <System>
    <Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" />
    <EventID>5136</EventID>
    <Version>0</Version>
    <Level>0</Level>
    <Task>14081</Task>
    <Opcode>0</Opcode>
    <Keywords>0x8020000000000000</Keywords>
    <TimeCreated SystemTime="2022-11-04T02:31:29.420927500Z" />
    <EventRecordID>3358</EventRecordID>
    <Correlation />
    <Execution ProcessID="720" ThreadID="844" />
    <Channel>Security</Channel>
    <Computer>WIN-H075793E01J.lab01.cobaltatom.com</Computer>
    <Security />
  </System>
  <EventData>
    <Data Name="OpCorrelationID">{dc2a2f96-ca0f-433e-99f5-26c38ae92ec8}</Data>
    <Data Name="AppCorrelationID">-</Data>
    <Data Name="SubjectUserSid">S-1-5-21-3029060990-3727371411-1592290629-500</Data>
    <Data Name="SubjectUserName">Administrator</Data>
    <Data Name="SubjectDomainName">LAB01</Data>
    <Data Name="SubjectLogonId">0x38266</Data>
    <Data Name="DSName">lab01.cobaltatom.com</Data>
    <Data Name="DSType">%%14676</Data>
    <Data Name="ObjectDN">CN=User01,OU=Test,DC=lab01,DC=cobaltatom,DC=com</Data>
    <Data Name="ObjectGUID">{d1d6e424-7565-44f6-8e27-98d50294ced2}</Data>
    <Data Name="ObjectClass">user</Data>
    <Data Name="AttributeLDAPDisplayName">physicalDeliveryOfficeName</Data>
    <Data Name="AttributeSyntaxOID">2.5.5.12</Data>
    <Data Name="AttributeValue">Building2-Floor2-Office2</Data>
    <Data Name="OperationType">%%14674</Data>
  </EventData>
</Event>

SharePoint SE October 2022 Updates

The SharePoint SE October 2022 Updates have been released.

Product KB Article
SharePoint Server SE (sts-x-none) https://support.microsoft.com/topic/description-of-the-security-update-for-sharepoint-server-subscription-edition-october-11-2022-kb5002290-29091e4f-76fc-461e-abf0-233875cc1c69
Office Updates https://support.microsoft.com/topic/october-2022-updates-for-microsoft-office-4ebed600-ca67-4182-9377-59bf9b8650f0

For all SharePoint updates, visit SharePoint Updates.

SharePoint 2019 October 2022 Updates

The SharePoint 2019 October 2022 Updates have been released.

Product KB Article
SharePoint Server 2019 (sts-x-none) https://support.microsoft.com/topic/description-of-the-security-update-for-sharepoint-server-2019-october-11-2022-kb5002278-4ce6ce36-933a-49b0-abbf-b7d57872078f
SharePoint Server 2019 (wssmui) https://support.microsoft.com/topic/october-11-2022-update-for-sharepoint-server-2019-language-pack-kb5002277-6a168703-198d-4c28-8ca6-eda498a8d590
Office Updates https://support.microsoft.com/topic/october-2022-updates-for-microsoft-office-4ebed600-ca67-4182-9377-59bf9b8650f0

For all SharePoint updates, visit SharePoint Updates.