[Update 12.09.23]: Microsoft indicated yesterday that on October 10, 2023 and thereafter the final phase enforcement related to CVE-2022-38023 and CVE-2022-37967. Administrators should be aware of the changes that affect Kerberos protocol requirements.
- Windows updates released on and after this date have the following effects:
- The ability to disable the addition of PAC signatures is removed (previously this was possible via the KrbtgtFullPacSignature registry subkey).
- Support for audit mode is removed (this allowed authentication regardless of whether PAC signatures were missing or invalid, and created audit logs for verification).
- Denial of authentication for incoming service tickets without the new PAC signatures.
- The phase described above is the final phase of these security hardening measures.
[Update 12. Juli 2023]: Netlogon protocol enforcement related to CVE-2022-38023 and CVE-2022-37967 has now been enforced. “Vulnerable connections from non-compliant devices will be blocked. RPC sealing cannot be unenforced.”
Changes have also been made to the Kerberos protocol (CVE-2022-37967) since yesterday (July 11, 2023).
“For domain controllers, signatures are added to the Kerberos PAC buffer. The ability to disable the addition of PAC signatures will no longer be available and verification of signatures cannot be prevented. Connections with missing or invalid signatures will still be allowed with an “Audit Mode” setting. However, from October 2023 they will be denied authentication.”
[Update 14. April 2023]: Quick note: Microsoft has adjusted the schedules for Windows Server versions. For the Netlogon and Kerberos protocols, the “Default Enforcement” phase of the registry key has been postponed from April 11, 2023 to June 13, 2023.
Only then will CVE-2022-37967 and CVE-2022-38023 remove the ability to adjust the registry key.
[Original 9. November 2022]: With the November patch day, Microsoft provided a gradual change to the Netlogon and Kerberos protocols. These are related to CVE-2022-38023 and CVE-2022-37967 and address vulnerabilities on Windows 8.1 to Windows 11 and Windows Server versions.
These instructions are primarily for administrators. The changes begin with the update on November 8, 2022 and will be implemented and tightened gradually until July 2023 or October 2023. By then, the security gaps will be completely closed and manual changes will no longer be possible. Therefore, you should take a closer look at the “timetable” and react accordingly.