{"id":29511,"date":"2023-05-02T08:09:18","date_gmt":"2023-05-02T06:09:18","guid":{"rendered":"http:\/\/159.69.82.204\/win\/?p=29511"},"modified":"2023-05-02T08:09:18","modified_gmt":"2023-05-02T06:09:18","slug":"windows-hardening-guidances-and-key-dates-2023","status":"publish","type":"post","link":"https:\/\/borncity.com\/win\/2023\/05\/02\/windows-hardening-guidances-and-key-dates-2023\/","title":{"rendered":"Windows hardening: Guidances and key dates 2023"},"content":{"rendered":"

\"Windows\"[English<\/a>]Small reminder for administrators in the Windows environment. In 2023, Microsoft will continue to implement various hardening measures for Windows systems (DCOM authentication, Kerberos, Netjoin\/Domain Join, etc.). These hardening measures will be rolled out in stages through monthly updates. Even though there was another postponement of a hardening measure recently, there are a few dates coming up in the next few months for Windows administrators to keep in mind.<\/p>\n

<\/p>\n

\"\"The topic was laying around there in various places. For example, Microsoft had admittedly moved its phased adjustment schedules on the Netlogon protocol (due to CVE-2022-38023) and the Kerberos protocol from April 11, 2023, to June 13, 2023. But the Windows update of April 11, 2023 already removed the ability to disable RPC sealing in the registry.<\/p>\n

A German blog reader had furthermore already pointed out to me in March 2023, in the environment of the update March 14, 2023\u2014KB5023706 (OS Build 22621.1413)<\/a> changes in the NetJoin, which will become relevant in autumn. The reader wrote:<\/p>\n

However, the information in March 14, 2023\u2014KB5023706 (OS Build 22621.1413)<\/a> applies to all OS (W10, W11 21H2, W11 22H2)<\/p>\n

KB5020276\u2014Netjoin: Domain join hardening changes – Microsoft Support<\/a><\/p>\n

AEverything new is in [March 14] brackets. In 6 months MS will probably switch off the \"NetJoinLegacyAccountReuse\" key. So many (all?) companies have to do it again now.<\/strong><\/p>\n

I don't know yet whether MS will row back here or only make things worse. I'm waiting for the colleagues from AD myself.<\/p>\n

Maybe you can inform the \"world\" again like in October 2022. This time, however, it is in the actual article and you do not have to search (actually), but the importance and the test effort and conversion effort some might underestimate.<\/p><\/blockquote>\n

I had addressed the issue last year in the blog post Windows October 2022 Patchday: Fix for Domain Join Hardening (CVE-2022-38042) prevents domain join<\/a>. So in October 2023 there will be the next change – but the reader's reference to the testing effort prompted me to raise the issue again here.<\/p>\n

Microsoft's schedule as an overview<\/h2>\n

Colleagues here<\/a> noticed a few days ago the Microsoft post Latest Windows hardening guidance and key dates<\/a> from April 28, 2023, where Microsoft lists the various dates for various hardening measures. I've pulled out the relevant dates:<\/p>\n

\n

Hardening changes by month<\/h4>\n

Consult the details for all upcoming hardening changes by month to help you plan for each phase and final enforcement.<\/p>\n

April 2023<\/strong><\/p>\n