MC1113050 – (Updated) Security hardening for Microsoft RPC Netlogon protocol

Product:

SharePoint, Windows, Windows Server

Platform:

Online, World tenant

Status:

Change type:

Admin impact

Links:

Details:

(Update: This post was updated to clarify that the change was Enabled by Default on Windows Server 2025 in May 2025 and to add information about how to configure this change.)


Microsoft has introduced a hardening change to strengthen the Microsoft RPC Netlogon protocol by blocking RPC anonymous requests used to locate domain controllers. This change was Enabled by Default in the May 2025 Windows security update for Windows Server 2025, and in the July 2025 Windows security update for all supported versions from Windows Server 2008 SP2 through Windows Server 2022. This change is configurable by policy after installing the August 2025 Windows security update. See the article, KB5066014-Netlogon RPC Hardening (CVE-2025-49716), for details.

After applying these updates and subsequent updates, Active Directory domain controllers will reject certain anonymous RPC requests. This may affect interoperability with services like Samba unless they are updated to meet the new access requirements.

To prepare for this update, review your environment for any dependencies on anonymous Netlogon RPC requests. If your organization uses Samba, refer to the Samba release notes for guidance on compatibility. It is also recommended to test the update in a staging environment to identify and address any potential disruptions before full deployment.

For more information, see the May or July KB update article that matches your server version's security update.

Change Category:
XXXXXXX ... free basic plan only

Scope:
XXXXXXX ... free basic plan only

Release Phase:

Created:
2025-07-11

updated:
2025-08-14

Task Type

XXXXXXX ... free basic plan only

Docu to Check

XXXXXXX ... free basic plan only

MS Preperations

XXXXXXX ... free basic plan only

MS Urgency

XXXXXXX ... free basic plan only

MS workload name

XXXXXXX ... free basic plan only

summary for non-techies**

XXXXXXX ... free basic plan only

Direct effects for Operations**

Interoperability Issues with Samba
Blocking anonymous RPC requests may lead to compatibility issues with Samba services, potentially disrupting file sharing and authentication processes.
   - roles: System Administrator, Network Engineer
   - references: https://support.microsoft.com/topic/kb5066014-netlogon-rpc-hardening-cve-2025-49716-38a0bc06-507c-47d4-be0f-ca1acab02c68, https://www.samba.org/samba/history/samba-4.22.3.html

User Authentication Failures
Users may experience authentication failures if their systems rely on anonymous RPC requests to access domain controllers, leading to access issues.
   - roles: End User, Help Desk Support
   - references: https://support.microsoft.com/topic/july-8-2025-kb5062572-os-build-20348-3932-d78a2b2a-1ce8-45ee-85a0-e51a897ec67f, https://learn.microsoft.com/openspecs/windows_protocols/ms-nrpc/ff8f970f-3e37-40f7-bd4b-af7336e4792f

Increased Support Tickets
The change may result in a surge of support tickets from users facing issues due to the hardening, impacting IT support resources.
   - roles: Help Desk Support, IT Manager
   - references: https://support.microsoft.com/topic/kb5066014-netlogon-rpc-hardening-cve-2025-49716-38a0bc06-507c-47d4-be0f-ca1acab02c68, https://support.microsoft.com/topic/may-13-2025-kb5058411-os-build-26100-4061-57181688-a692-49e5-b6cd-6e3919da12ca

Service Downtime
Services that depend on anonymous RPC requests may experience downtime if not properly updated to comply with the new security settings.
   - roles: System Administrator, Application Owner
   - references: https://support.microsoft.com/topic/july-8-2025-kb5062572-os-build-20348-3932-d78a2b2a-1ce8-45ee-85a0-e51a897ec67f, https://www.samba.org/samba/history/samba-4.22.3.html

Increased Configuration Complexity
The need to configure policies post-update may lead to increased complexity in system management, requiring additional training or resources.
   - roles: System Administrator, IT Manager
   - references: https://support.microsoft.com/topic/kb5066014-netlogon-rpc-hardening-cve-2025-49716-38a0bc06-507c-47d4-be0f-ca1acab02c68, https://learn.microsoft.com/openspecs/windows_protocols/ms-nrpc/ff8f970f-3e37-40f7-bd4b-af7336e4792f

Configutation Options**

XXXXXXX ... paid membership only

Opportunities**

Enhanced Security Compliance
By adopting the hardening change for the Microsoft RPC Netlogon protocol, organizations can significantly enhance their security posture against unauthorized access attempts, especially those exploiting anonymous requests. This is particularly crucial for organizations handling sensitive data or regulated information.
   - next-steps: Conduct a security audit to identify potential vulnerabilities related to the RPC Netlogon protocol. Implement the hardening changes in a controlled environment and evaluate the impact on existing services.
   - roles: IT Security Manager, System Administrator, Compliance Officer
   - references: https://learn.microsoft.com/openspecs/windows_protocols/ms-nrpc/ff8f970f-3e37-40f7-bd4b-af7336e4792f, https://support.microsoft.com/topic/kb5066014-netlogon-rpc-hardening-cve-2025-49716-38a0bc06-507c-47d4-be0f-ca1acab02c68

Improved Service Interoperability
Reviewing and updating services like Samba in light of the new access requirements will ensure continued interoperability and prevent service disruptions. This proactive approach can help maintain seamless operations across different platforms.
   - next-steps: Engage with the Samba team to understand the necessary updates and test these changes in a staging environment to ensure compatibility with the hardening changes before deployment.
   - roles: System Administrator, Network Engineer, IT Operations Manager
   - references: https://www.samba.org/samba/history/samba-4.22.3.html

Streamlined IT Operations
By preparing for the update and identifying dependencies on anonymous RPC requests, IT can streamline operations by reducing the risk of unexpected disruptions and improving overall service reliability.
   - next-steps: Create a dependency mapping for all services using the Netlogon RPC protocol and assess their compatibility with the new security measures. Develop a communication plan to inform affected users about potential changes.
   - roles: IT Operations Manager, System Administrator, Help Desk Manager
   - references: https://support.microsoft.com/topic/july-8-2025-kb5062572-os-build-20348-3932-d78a2b2a-1ce8-45ee-85a0-e51a897ec67f

Potentional Risks**

XXXXXXX ... paid membership only

IT Security**

XXXXXXX ... paid membership only

explanation for non-techies**

XXXXXXX ... free basic plan only