Yesterday was the second Tuesday of the month and as expected, Microsoft released Patch Tuesday updates on Windows 10 (KB5027215, among others), and Windows 11 (KB5027231). Servers also received Patch Tuesday updates and Microsoft rolled out the third phase of the ongoing domain controller (DC) hardening. Microsoft reminded users and admins of this upcoming change back in March.
The hardening is meant to address a security bypass and elevation of privilege vulnerabilities with Privilege Attribute Certificate (PAC) signatures in the Netlogon and Kerberos protocols. On its Windows health dashboard site, the company has announced the rollout. It writes:
The November 8, 2022 and later Windows releases include security updates that address security vulnerabilities affecting Windows Server domain controllers (DC). These protections follow a hardening change calendar and are released in phases. As previously announced, administrators should observe the following changes which are coming into effect following Windows updates released on and after June 13, 2023:
Netlogon protocol changes:
- June 13, 2023: enforcement for Netlogon protocol using RPC sealing will be enabled on all domain controllers and vulnerable connections from non-compliant devices will be blocked. It is still possible to remove this enforcement, until July 2023.
- July 11, 2023: full enforcement of RPC sealing will begin and cannot be removed.
Kerberos protocol changes:
- June 13: 2023: the ability to disable PAC signature addition will no longer be available, and domain controllers with the November 2022 security update or later will have signatures added to the Kerberos PAC Buffer.
- July 11, 2023: verification of signature will begin and cannot be prevented. Connections for missing or invalid signatures will continue to be allowed ("Audit mode" setting), however, they will be denied authentication beginning October 2023.
Towards the end of April, Microsoft also published a complete timeline of the upcoming changes for Netlogon, Kerberos, and Azure Active Directory (AD) all the way up to 2024.