[English]Small reminder for administrators in the Windows environment. In 2023, Microsoft will continue to implement various hardening measures for Windows systems (DCOM authentication, Kerberos, Netjoin/Domain Join, etc.). These hardening measures will be rolled out in stages through monthly updates. Even though there was another postponement of a hardening measure recently, there are a few dates coming up in the next few months for Windows administrators to keep in mind.
The topic was laying around there in various places. For example, Microsoft had admittedly moved its phased adjustment schedules on the Netlogon protocol (due to CVE-2022-38023) and the Kerberos protocol from April 11, 2023, to June 13, 2023. But the Windows update of April 11, 2023 already removed the ability to disable RPC sealing in the registry.
A German blog reader had furthermore already pointed out to me in March 2023, in the environment of the update March 14, 2023—KB5023706 (OS Build 22621.1413) changes in the NetJoin, which will become relevant in autumn. The reader wrote:
However, the information in March 14, 2023—KB5023706 (OS Build 22621.1413) applies to all OS (W10, W11 21H2, W11 22H2)
AEverything new is in [March 14] brackets. In 6 months MS will probably switch off the "NetJoinLegacyAccountReuse" key. So many (all?) companies have to do it again now.
I don't know yet whether MS will row back here or only make things worse. I'm waiting for the colleagues from AD myself.
Maybe you can inform the "world" again like in October 2022. This time, however, it is in the actual article and you do not have to search (actually), but the importance and the test effort and conversion effort some might underestimate.
I had addressed the issue last year in the blog post Windows October 2022 Patchday: Fix for Domain Join Hardening (CVE-2022-38042) prevents domain join. So in October 2023 there will be the next change – but the reader's reference to the testing effort prompted me to raise the issue again here.
Microsoft's schedule as an overview
Colleagues here noticed a few days ago the Microsoft post Latest Windows hardening guidance and key dates from April 28, 2023, where Microsoft lists the various dates for various hardening measures. I've pulled out the relevant dates:
Hardening changes by month
Consult the details for all upcoming hardening changes by month to help you plan for each phase and final enforcement.
- Netlogon protocol changes KB5021130 | Phase 2
Initial enforcement; removes the ability to disable RPC sealing by setting value 0 to the RequireSeal registry subkey.
- Certificate-based authentication KB5014754 | Phase 2
Removes Disabled mode.
- Netlogon protocol changes KB5021130 | Phase 3
Enforcement by default. RequireSeal subkey will be moved to Enforcement mode unless you explicitly configure it to be under Compatibility mode.
- Kerberos PAC Signatures KB5020805 | Phase 3
Removes the ability to disable PAC signature addition by setting the KrbtgtFullPacSignature subkey to a value of 0.
- Netlogon protocol changes KB5021130 | Phase 4
Final enforcement. RequireSeal subkey will be moved to Enforcement mode unless you explicitly configure it to be under Compatibility mode.
- Kerberos PAC Signatures KB5020805 | Phase 4
Enforcement mode as default (KrbtgtFullPacSignature = 3), which you can override with an explicit Audit setting.
- Kerberos PAC Signatures KB5020805 | Phase 5
Final, full enforcement.
- Certificate-based authentication KB5014754 | Phase 3
Final, full enforcement.
- Active Directory (AD) permissions issue KB5008383 | Phase 5
Cookies helps to fund this blog: Cookie settings