Search

MC586070 – Reminder: Security hardening changes for Netlogon and Kerberos coming in June and July 2023 (archived)

cloudscout.one Icon

check before: 2023-06-27

Product:

Office 365 general

Platform:

World tenant

Status:

Change type:

Admin impact

Links:

Details:

The November 8, 2022 and later Windows updates are crucial in addressing two important security vulnerabilities, both impacting Windows Server domain controllers (DC):
Weaknesses in the Netlogon protocol when RPC signing is used instead of RPC sealing. Find more information in CVE-2022-38023.
Kerberos security bypass and elevation of privilege vulnerabilities involving alteration of Privilege Attribute Certificate (PAC) signatures. Find more information in CVE-2022-37967.


All domain-joined, machine accounts are affected by these vulnerabilities. Review the below KB entries to understand the options available for configuring these changing security requirements in your environment, as well as monitor for warnings and issues.
KB5021130: How to manage the Netlogon protocol changes related to CVE-2022-38023
KB5020805: How to manage Kerberos protocol changes related to CVE-2022-37967


When will this happen:
As previously announced, the following changes are coming into effect with Windows updates released on and after June 13, 2023:


Netlogon protocol changes:
June 13, 2023: enforcement for Netlogon protocol using RPC sealing will be enabled on all domain controllers. Vulnerable connections from non-compliant devices will be blocked. It is still possible to remove this enforcement until July 2023.
July 11, 2023: full enforcement of RPC sealing will begin and cannot be removed.

Kerberos protocol changes:
June 13: 2023: the ability to disable PAC signature addition will no longer be available. Domain controllers with the November 2022 security update or later will have signatures added to the Kerberos PAC Buffer.
July 11, 2023: verification of signature will begin and cannot be prevented. Connections for missing or invalid signatures will continue to be allowed with an "Audit mode" setting. However, they will be denied authentication beginning October 2023.

Change Category:
XXXXXXX ...

Scope:
XXXXXXX ...

Release Phase:

Created:
2023-06-14

updated:
2023-06-14

the free basic plan is required to see all details. Sign up here


A cloudsocut.one plan is required to see all the changed details. If you are already a customer, choose login.
If you are new to cloudscout.one please choose a plan.


Last updated 1 month ago

Share to MS Teams

Login to your account

Welcome Back, We Missed You!