{"id":32768,"date":"2024-01-09T10:17:13","date_gmt":"2024-01-09T09:17:13","guid":{"rendered":"http:\/\/159.69.82.204\/win\/?p=32768"},"modified":"2024-01-11T11:42:04","modified_gmt":"2024-01-11T10:42:04","slug":"important-dates-for-windows-hardening-in-2024","status":"publish","type":"post","link":"https:\/\/borncity.com\/win\/2024\/01\/09\/important-dates-for-windows-hardening-in-2024\/","title":{"rendered":"Important dates for Windows hardening in 2024"},"content":{"rendered":"<p><img decoding=\"async\" style=\"float: left; margin: 0px 10px 0px 0px; display: inline;\" title=\"Windows\" src=\"https:\/\/www.borncity.com\/blog\/wp-content\/uploads\/2021\/04\/Windows-klein.jpg\" alt=\"Windows\" width=\"200\" \/>[<a href=\"https:\/\/www.borncity.com\/blog\/2024\/01\/09\/wichtige-daten-zur-windows-hrtung-in-2024\/\" target=\"_blank\" rel=\"noopener\">German<\/a>]Brief short note before the first patchday in 2024: Microsoft is carrying out hardening measures for Windows (clients and servers) over longer periods of time, where functions are secured via Windows Update on certain dates. Some of these hardening measures are also scheduled for 2024, with the final enforcement phase for the Active Directory (AD) permissions problem starting on December 15, 2023.<\/p>\n<p><!--more--><\/p>\n<p><img loading=\"lazy\" decoding=\"async\" src=\"https:\/\/vg06.met.vgwort.de\/na\/ad56b01735c546eb95d4bb1ba9b6d57c\" alt=\"\" width=\"1\" height=\"1\" \/>Hardening Windows against security threats is a key element of Microsoft's ongoing security strategy to protect installations. This involves measures such as hardening <em>DCOM authentication<\/em> or hardening <em>Netjoin: Domain Join<\/em>. Microsoft has published a Techcommunity article <a href=\"https:\/\/techcommunity.microsoft.com\/t5\/windows-it-pro-blog\/latest-windows-hardening-guidance-and-key-dates\/ba-p\/3807832\" target=\"_blank\" rel=\"noopener\">Latest Windows hardening guidance and key date<\/a>, which was last updated on November 27, 2023.<\/p>\n<p><a href=\"https:\/\/twitter.com\/etguenni\/status\/1744504316931559683\" target=\"_blank\" rel=\"noopener\"><img decoding=\"async\" title=\"Windows Hardening Guidance\" src=\"https:\/\/i.postimg.cc\/1XY3wQxV\/image.png\" alt=\"Windows Hardening Guidance\" \/><\/a><\/p>\n<p>I became aware of the topic during the night via the above <a href=\"https:\/\/twitter.com\/etguenni\/status\/1744504316931559683\" target=\"_blank\" rel=\"noopener\">tweet<\/a> from Thorsten and thought I would share it briefly &#8211; especially as there is also a comment on the topic of domain join here on the blog.<\/p>\n<h2>Hardening from 2024<\/h2>\n<p>The following image shows the \"hardening changes\" for 2024 &#8211; with the following dates mentioned in the Techcommunity article by Microsoft:<\/p>\n<p><a href=\"https:\/\/techcommunity.microsoft.com\/t5\/windows-it-pro-blog\/latest-windows-hardening-guidance-and-key-dates\/ba-p\/3807832\" target=\"_blank\" rel=\"noopener\"><img decoding=\"async\" title=\"Windows hardening changes in 2024\" src=\"https:\/\/i.postimg.cc\/Qt20YLkv\/image.png\" alt=\"Windows hardening changes in 2024\" \/><\/a><\/p>\n<ul>\n<li><strong>January 2024:<\/strong> <em>Active Directory (AD) permissions issue <\/em><a href=\"https:\/\/support.microsoft.com\/help\/5008383\" target=\"_blank\" rel=\"noopener\">KB5008383<\/a><em> | Phase 5, <\/em>Final enforcement. Update KB5008383 is about Active Directory authorization updates to harden systems against<a href=\"https:\/\/msrc.microsoft.com\/update-guide\/vulnerability\/CVE-2021-42291\" target=\"_blank\" rel=\"noopener\">CVE-2021-42291<\/a>. CVE-2021-42291 resolves a vulnerability that allows certain users to set arbitrary values for security-related attributes of certain objects stored in Active Directory (AD). To exploit this vulnerability, a user must have sufficient permissions to create a computer account, for example, if a user has granted <em>CreateChild<\/em> permissions to computer objects. This user can create a computer account with a Lightweight Directory Access Protocol (LDAP) Add call that allows overly permissive access to the <em>securityDescriptor<\/em> attribute. In addition, creators and owners can change security-related attributes after an account has been created. Details can be found in the linked KB article.<\/li>\n<li><strong>February 2024:<\/strong> <em>Netjoin<\/em> <a href=\"https:\/\/support.microsoft.com\/help\/5020276\" target=\"_blank\" rel=\"noopener\">KB5020276<\/a> Workaround to be deactivated. This point is not mentioned in the Techcommunity post above, but Matthias Pierschel left <a href=\"https:\/\/www.borncity.com\/blog\/2022\/10\/12\/windows-oktober-2022-patchday-fix-fr-domain-join-hardening-cve-2022-38042-verhindert-ggf-domain-join\/#comment-167449\" target=\"_blank\" rel=\"noopener\">this\u00a0 comment<\/a> in my German blog (thanks for that) and wrote: \"According to Microsoft, the workaround will be disabled in the coming year: We also plan to remove the original <em>NetJoinLegacyAccountReuse<\/em> registry setting in a future Windows update. This removal is tentatively planned for the February 13, 2024 update. Release dates are subject to change. [End &#8211; September 2023]\". Details can be found in the linked KB article.<\/li>\n<li><strong>First quarter of 2024: <\/strong>Secure Boot bypass protections <a href=\"https:\/\/support.microsoft.com\/help\/5025885\" target=\"_blank\" rel=\"noopener\">KB5025885<\/a> | Phase 3; Full, final enforcement. Refers to Windows 10\/11 clients and Windows Server 2012 R2. Details can be found in the linked KB article.<\/li>\n<\/ul>\n<p>In the first quarter of 2025, final phase 3 (full enforcement mode) will be introduced for certificate-based authentication. Maybe it will help if someone from the circle of administrators did not have these topics on their radar.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>[German]Brief short note before the first patchday in 2024: Microsoft is carrying out hardening measures for Windows (clients and servers) over longer periods of time, where functions are secured via Windows Update on certain dates. Some of these hardening measures &hellip; <a href=\"https:\/\/borncity.com\/win\/2024\/01\/09\/important-dates-for-windows-hardening-in-2024\/\">Continue reading <span class=\"meta-nav\">&rarr;<\/span><\/a><\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[580,2],"tags":[69,194],"class_list":["post-32768","post","type-post","status-publish","format-standard","hentry","category-security","category-windows","tag-security","tag-windows"],"_links":{"self":[{"href":"https:\/\/borncity.com\/win\/wp-json\/wp\/v2\/posts\/32768","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/borncity.com\/win\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/borncity.com\/win\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/borncity.com\/win\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/borncity.com\/win\/wp-json\/wp\/v2\/comments?post=32768"}],"version-history":[{"count":2,"href":"https:\/\/borncity.com\/win\/wp-json\/wp\/v2\/posts\/32768\/revisions"}],"predecessor-version":[{"id":32804,"href":"https:\/\/borncity.com\/win\/wp-json\/wp\/v2\/posts\/32768\/revisions\/32804"}],"wp:attachment":[{"href":"https:\/\/borncity.com\/win\/wp-json\/wp\/v2\/media?parent=32768"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/borncity.com\/win\/wp-json\/wp\/v2\/categories?post=32768"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/borncity.com\/win\/wp-json\/wp\/v2\/tags?post=32768"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}