Windows hardening: Guidances and key dates 2023

Windows[English]Small reminder for administrators in the Windows environment. In 2023, Microsoft will continue to implement various hardening measures for Windows systems (DCOM authentication, Kerberos, Netjoin/Domain Join, etc.). These hardening measures will be rolled out in stages through monthly updates. Even though there was another postponement of a hardening measure recently, there are a few dates coming up in the next few months for Windows administrators to keep in mind.


Advertising

The topic was laying around there in various places. For example, Microsoft had admittedly moved its phased adjustment schedules on the Netlogon protocol (due to CVE-2022-38023) and the Kerberos protocol from April 11, 2023, to June 13, 2023. But the Windows update of April 11, 2023 already removed the ability to disable RPC sealing in the registry.

A German blog reader had furthermore already pointed out to me in March 2023, in the environment of the update March 14, 2023—KB5023706 (OS Build 22621.1413) changes in the NetJoin, which will become relevant in autumn. The reader wrote:

However, the information in March 14, 2023—KB5023706 (OS Build 22621.1413) applies to all OS (W10, W11 21H2, W11 22H2)

KB5020276—Netjoin: Domain join hardening changes – Microsoft Support

AEverything new is in [March 14] brackets. In 6 months MS will probably switch off the "NetJoinLegacyAccountReuse" key. So many (all?) companies have to do it again now.

I don't know yet whether MS will row back here or only make things worse. I'm waiting for the colleagues from AD myself.

Maybe you can inform the "world" again like in October 2022. This time, however, it is in the actual article and you do not have to search (actually), but the importance and the test effort and conversion effort some might underestimate.

I had addressed the issue last year in the blog post Windows October 2022 Patchday: Fix for Domain Join Hardening (CVE-2022-38042) prevents domain join. So in October 2023 there will be the next change – but the reader's reference to the testing effort prompted me to raise the issue again here.

Microsoft's schedule as an overview

Colleagues here noticed a few days ago the Microsoft post Latest Windows hardening guidance and key dates from April 28, 2023, where Microsoft lists the various dates for various hardening measures. I've pulled out the relevant dates:

Hardening changes by month

Consult the details for all upcoming hardening changes by month to help you plan for each phase and final enforcement.

April 2023

  • Netlogon protocol changes KB5021130 | Phase 2
    Initial enforcement; removes the ability to disable RPC sealing by setting value 0 to the RequireSeal registry subkey.
  • Certificate-based authentication KB5014754 | Phase 2
    Removes Disabled mode.

June 2023

  • Netlogon protocol changes KB5021130 | Phase 3
    Enforcement by default. RequireSeal subkey will be moved to Enforcement mode unless you explicitly configure it to be under Compatibility mode.
  • Kerberos PAC Signatures KB5020805 | Phase 3
    Removes the ability to disable PAC signature addition by setting the KrbtgtFullPacSignature subkey to a value of 0.

July 2023

  • Netlogon protocol changes KB5021130 | Phase 4
    Final enforcement. RequireSeal subkey will be moved to Enforcement mode unless you explicitly configure it to be under Compatibility mode.
  • Kerberos PAC Signatures KB5020805 | Phase 4
    Enforcement mode as default (KrbtgtFullPacSignature = 3), which you can override with an explicit Audit setting.

October 2023

  • Kerberos PAC Signatures KB5020805 | Phase 5
    Final, full enforcement.

November 2023

  • Certificate-based authentication KB5014754 | Phase 3
    Final, full enforcement.

January 2024

  • Active Directory (AD) permissions issue KB5008383 | Phase 5

Advertising

This entry was posted in Security, Update, Windows and tagged , , . Bookmark the permalink.

Leave a Reply

Your email address will not be published. Required fields are marked *

Note: Please note the rules for commenting on the blog (first comments and linked posts end up in moderation, I release them every few hours, I rigorously delete SEO posts/SPAM).