Microsoft reminds of third-phase Windows DC hardening regarding Kerberos security flaw

Microsoft has today issued a reminder regarding domain controller (DC) hardening due to a Kerberos security flaw.

Back in November, on the second Tuesday of the month, Microsoft released its Patch Tuesday update. The one for servers (KB5019081) addressed a Windows Kerberos elevation of privilege vulnerability that allowed threat actors to alter Privilege Attribute Certificate (PAC) signatures (tracked under ID "CVE-2022-37967"). Microsoft recommended deploying the update to all Windows devices including domain controllers.

In order to help with the deployment, Microsoft published guidance. The firm summarized the meat of the matter as follows:

The November 8, 2022 Windows updates address security bypass and elevation of privilege vulnerabilities with Privilege Attribute Certificate (PAC) signatures. This security update addresses Kerberos vulnerabilities where an attacker could digitally alter PAC signatures, raising their privileges.

To help secure your environment, install this Windows update to all devices, including Windows domain controllers.

Microsoft released this update in a phased manner. The first deployment was in November, the second one was just over a month later. Fast forward to today, Microsoft has published this reminder as the third deployment phase is almost here as they will be released in next month"s Patch Tuesday on April 11, 2022.

It explains:

Security hardening changes needed on Domain Controllers in IT environments to address CVE-2022-37967 will enter the Third deployment phase with the release of updates on April 11, 2023, as outlined in KB5020805: How to manage Kerberos protocol changes related to CVE-2022-37967. Each phase raises the default minimum for the security hardening changes for CVE-2022-37967 and your environment must be compliant before installing updates for each phase onto your Domain Controller.

If you are using the workaround to disable PAC signature addition by setting the KrbtgtFullPacSignature subkey to a value of 0, you will no longer be able to use this workaround after installing updates released April 11, 2023. Your apps and environment will need to at least be compliant with KrbtgtFullPacSignature subkey to a value of 1 to install these updates on your Domain Controllers.

If you are not using any workaround for issues related to CVE-2022-37967 security hardening, you might still need to address issues in your environment for the coming phases; July 11, 2023 - Initial enforcement phase and October 10, 2023 - Full enforcement phases.

You can find additional details on the support article here (KB5020805).

Report a problem with article
Next Article

Steam won't run on Windows 7/8/8.1 starting in 2024 as support goes away

Previous Article

Twitter to boost verified accounts in For You recommendations