Security hardening changes for Kerberos effective with the October 10, 2023 Windows Update
Windows updates released today, October 10, 2023, and later, conclude the rollout of security enforcement to protect Windows Server domain controllers (DC) against a Kerberos security bypass vulnerability. This vulnerability also involves an elevation of privilege scenario and alteration of Privilege Attribute Certificate (PAC) signatures. All domain-joined, machine accounts are affected by these vulnerabilities.
These changes have been gradually enforced through a series of phases, beginning with Windows updates released November 8, 2022. For details on configuring these security requirements in your environment see KB5020805: How to manage Kerberos protocol changes related to CVE-2022-37967.
When will this happen:
As previously announced, Windows updates released on and after October 10, 2023 will have the following effect:
- Remove the ability to disable PAC signature addition (previously done via the registry subkey KrbtgtFullPacSignature)
- Remove support for Audit mode (this enabled authentication whether PAC signatures were missing or invalid, and created audit logs for review).
- Deny authentication to incoming service tickets without the new PAC signatures.
How this will affect your organization:
Organizations which have not adopted the hardening changes as necessary might be at risk of business disruption after installing Windows update released October 10, 2023 or later. Administrators are encouraged to take action as soon as possible.
What you need to do to prepare:
Additional information:
The security features in Windows updates released November 8, 2022 and later, provided the ability to manually enable and disable security hardening requirements. This limited enforcement was intended to allow administrators time to make any necessary changes in their environments, until full enforcement can be enabled once all requirements are met. In the months since that November 2022 release, security requirements have gradually increased. Windows updates released October 10, 2023 or later will contain the final phase of the rollout for these security hardening measured, which no longer provides options to disable security hardening.
Update your Windows domain controllers with a Windows update released on or after November 8, 2022. It’s critical to review the KB entries in the Additional information section, below, to understand the options available for configuring these security requirements in your environment.
Message ID: MC680542
No comments yet