MC586070 – Reminder: Security hardening changes for Netlogon and Kerberos coming in June and July 2023 (archived)

cloudscout.one Icon

check before: 2023-06-27

Product:

Office 365 general, Windows Server

Platform:

World tenant

Status:

Change type:

Admin impact

Links:

Details:

The November 8, 2022 and later Windows updates are crucial in addressing two important security vulnerabilities, both impacting Windows Server domain controllers (DC):
Weaknesses in the Netlogon protocol when RPC signing is used instead of RPC sealing. Find more information in CVE-2022-38023.
Kerberos security bypass and elevation of privilege vulnerabilities involving alteration of Privilege Attribute Certificate (PAC) signatures. Find more information in CVE-2022-37967.


All domain-joined, machine accounts are affected by these vulnerabilities. Review the below KB entries to understand the options available for configuring these changing security requirements in your environment, as well as monitor for warnings and issues.
KB5021130: How to manage the Netlogon protocol changes related to CVE-2022-38023
KB5020805: How to manage Kerberos protocol changes related to CVE-2022-37967


When will this happen:
As previously announced, the following changes are coming into effect with Windows updates released on and after June 13, 2023:


Netlogon protocol changes:
June 13, 2023: enforcement for Netlogon protocol using RPC sealing will be enabled on all domain controllers. Vulnerable connections from non-compliant devices will be blocked. It is still possible to remove this enforcement until July 2023.
July 11, 2023: full enforcement of RPC sealing will begin and cannot be removed.

Kerberos protocol changes:
June 13: 2023: the ability to disable PAC signature addition will no longer be available. Domain controllers with the November 2022 security update or later will have signatures added to the Kerberos PAC Buffer.
July 11, 2023: verification of signature will begin and cannot be prevented. Connections for missing or invalid signatures will continue to be allowed with an "Audit mode" setting. However, they will be denied authentication beginning October 2023.

Change Category:
XXXXXXX ... free basic plan only

Scope:
XXXXXXX ... free basic plan only

Release Phase:

Created:
2023-06-14

updated:
2023-06-14

Task Type

XXXXXXX ... free basic plan only

Docu to Check

XXXXXXX ... free basic plan only

MS How does it affect me

XXXXXXX ... free basic plan only

MS Preperations

XXXXXXX ... free basic plan only

MS Urgency

XXXXXXX ... free basic plan only

MS workload name

XXXXXXX ... free basic plan only

** AI generated content. This information is not reliable.

the free basic plan is required to see all details. Sign up here


Last updated 5 months ago

Share to MS Teams

Login to your account

Welcome Back, We Missed You!