Important dates for Windows hardening in 2024

[German]Brief short note before the first patchday in 2024: Microsoft is carrying out hardening measures for Windows (clients and servers) over longer periods of time, where functions are secured via Windows Update on certain dates. Some of these hardening measures are also scheduled for 2024, with the final enforcement phase for the Active Directory (AD) permissions problem starting on December 15, 2023.

Hardening Windows against security threats is a key element of Microsoft's ongoing security strategy to protect installations. This involves measures such as hardening DCOM authentication or hardening Netjoin: Domain Join. Microsoft has published a Techcommunity article Latest Windows hardening guidance and key date, which was last updated on November 27, 2023.

I became aware of the topic during the night via the above tweet from Thorsten and thought I would share it briefly – especially as there is also a comment on the topic of domain join here on the blog.

Hardening from 2024

The following image shows the "hardening changes" for 2024 – with the following dates mentioned in the Techcommunity article by Microsoft:

• January 2024: Active Directory (AD) permissions issue KB5008383 | Phase 5, Final enforcement. Update KB5008383 is about Active Directory authorization updates to harden systems againstCVE-2021-42291. CVE-2021-42291 resolves a vulnerability that allows certain users to set arbitrary values for security-related attributes of certain objects stored in Active Directory (AD). To exploit this vulnerability, a user must have sufficient permissions to create a computer account, for example, if a user has granted CreateChild permissions to computer objects. This user can create a computer account with a Lightweight Directory Access Protocol (LDAP) Add call that allows overly permissive access to the securityDescriptor attribute. In addition, creators and owners can change security-related attributes after an account has been created. Details can be found in the linked KB article.
• February 2024: Netjoin KB5020276 Workaround to be deactivated. This point is not mentioned in the Techcommunity post above, but Matthias Pierschel left this  comment in my German blog (thanks for that) and wrote: "According to Microsoft, the workaround will be disabled in the coming year: We also plan to remove the original NetJoinLegacyAccountReuse registry setting in a future Windows update. This removal is tentatively planned for the February 13, 2024 update. Release dates are subject to change. [End – September 2023]". Details can be found in the linked KB article.
• First quarter of 2024: Secure Boot bypass protections KB5025885 | Phase 3; Full, final enforcement. Refers to Windows 10/11 clients and Windows Server 2012 R2. Details can be found in the linked KB article.

In the first quarter of 2025, final phase 3 (full enforcement mode) will be introduced for certificate-based authentication. Maybe it will help if someone from the circle of administrators did not have these topics on their radar.