• Kerberos and Netlogon updates part III

    Home » Forums » Admin IT Lounge » Admin IT Lounge – Miscellaneous » Kerberos and Netlogon updates part III

    Author
    Topic
    Alex5723
    AskWoody Plus
    June 14, 2023 at 3:23 am #2565992

    https://learn.microsoft.com/en-us/windows/release-health/windows-message-center#3113

    Reminder: Security hardening changes for Netlogon and Kerberos coming in June and July 2023
    The November 8, 2022 and later Windows releases include security updates that address security vulnerabilities affecting Windows Server domain controllers (DC). These protections follow a hardening change calendar and are released in phases. As previously announced, administrators should observe the following changes which are coming into effect following Windows updates released on and after June 13, 2023:…

    Reply | Quote
    Viewing 0 reply threads
    Author
    Replies
    • Alex5723
      AskWoody Plus
      September 14, 2023 at 12:10 pm #2587365

      Reminder: Security hardening changes for Netlogon and Kerberos effective October 10, 2023

      Windows updates release November 8, 2022 and later include changes that address security vulnerabilities affecting Windows Server domain controllers (DC). Among the addressed vulnerabilities is a Kerberos security bypass and elevation of privilege scenario involving alteration of Privilege Attribute Certificate (PAC) signatures. Changes to address this issue have been released following a series of phases throughout 2023, and are reaching the final stage of enforcement in October.

      Administrators should observe changes which affect Kerberos protocol requirements and are coming into effect with the Windows updates released on and after October 10, 2023.

      October 10, 2023 – Full Enforcement phase
      Windows updates released on and after this date will have the following effect:
      Remove the ability to disable PAC signature addition (previously done via the registry subkey KrbtgtFullPacSignature)
      Remove support for Audit mode (this enabled authentication whether PAC signatures were missing or invalid, and created audit logs for review).
      Deny authentication to incoming service tickets without the new PAC signatures.
      The phase described above is the final phase of these security hardening measures.

      All domain-joined, machine accounts are affected by these vulnerabilities. To understand the options available for configuring these security requirements in your environment, see KB5020805: How to manage Kerberos protocol changes related to CVE-2022-37967

      Reply | Quote
    Viewing 0 reply threads
    Reply To: Kerberos and Netlogon updates part III

    You can use BBCodes to format your content.
    Your account can't use all available BBCodes, they will be stripped before saving.

    Your information:




DON'T MISS OUT!
Subscribe to the Free Newsletter
We promise not to spam you. Unsubscribe at any time.
Invalid email address

View the Forum

  • Recent Replies
  • My Replies
  • My Active Topics
  • New Posts in the Last day
  • Private Messages
  • Knowledge Base
  • How to use the Forums
  • All Forums

    • Recent Topics

    My Profile

    June 2025
    S M T W T F S
    1234567
    891011121314
    15161718192021
    22232425262728
    2930  

    Remembering Woody

     

    Want to Advertise in the free newsletter? How about a gift subscription in honor of a birthday? Send an email to sb@askwoody.com to ask how.

    Mastodon profile for DefConPatch
    Mastodon profile for AskWoody

     

    Home About FAQ Posts & Privacy Forums My Account
    Register Free Newsletter Plus Membership Gift Certificates MS-DEFCON Alerts

    Copyright ©2004-2025 by AskWoody Tech LLC. All Rights Reserved.