{"id":10920,"date":"2025-04-09T03:01:08","date_gmt":"2025-04-08T18:01:08","guid":{"rendered":"https:\/\/m365jp.net\/?p=10920"},"modified":"2025-04-09T03:03:37","modified_gmt":"2025-04-08T18:03:37","slug":"mc1050816-kb5057784-protections-for-cve-2025-26647-kerberos-authentication","status":"publish","type":"post","link":"https:\/\/m365jp.net\/index.php\/2025-04-09-mc1050816-kb5057784-protections-for-cve-2025-26647-kerberos-authentication","title":{"rendered":"MC1050816 | KB5057784: Protections for CVE-2025-26647 (Kerberos Authentication)"},"content":{"rendered":"<div class=\"postie-post\">\n<div>\n<hr>\n<table id=\"section\">\n<tbody>\n<tr>\n<th width=\"95%\">MC1050816 | KB5057784: Protections for CVE-2025-26647 (Kerberos Authentication)<\/th>\n<\/tr>\n<\/tbody>\n<\/table>\n<hr>\n<table id=\"data\">\n<tbody>\n<tr>\n<th>Classification<\/th>\n<td>stayInformed<\/td>\n<\/tr>\n<tr>\n<th>Last Updated<\/th>\n<td>04\/08\/2025 17:54:39<\/td>\n<\/tr>\n<tr>\n<th>Start Time<\/th>\n<td>04\/08\/2025 17:54:37<\/td>\n<\/tr>\n<tr>\n<th>End Time<\/th>\n<td>04\/08\/2026 17:54:37<\/td>\n<\/tr>\n<tr>\n<th>Message Content<\/th>\n<td>\n<div>The Windows security updates released on or after April 8, 2025, contain protections for a vulnerability with Kerberos authentication. To learn more about this vulnerability, please see  <a href=\"https:\/\/msrc.microsoft.com\/update-guide\/vulnerability\/CVE-2025-26647\" rel=\"noopener noreferrer\" target=\"_blank\">  CVE-2025-26647<\/a>.<\/div>\n<div>&nbsp;<\/div>\n<div><b>When will this happen:<\/b><\/div>\n<div><b>April 8, 2025: Initial Deployment phase C Audit mode<\/b><\/div>\n<ul>\n<li>The initial deployment phase starts with the updates released on April 8, 2025. These updates add new behavior that detects the elevation of privilege vulnerability described in  <a href=\"https:\/\/msrc.microsoft.com\/update-guide\/vulnerability\/CVE-2025-26647\" rel=\"noopener noreferrer\" target=\"_blank\">  CVE-2025-26647<\/a> but does not enforce it.<\/li>\n<li>To enable the new behavior and be secure from the vulnerability, you must ensure all Windows domain controllers are updated and the  <b>AllowNtAuthPolicyBypass<\/b> registry key setting is set to <b>2<\/b>.<\/li>\n<\/ul>\n<div class=\"ql-indent-1\">  <\/div>\n<div><b>July 8 2025: Enforced by Default phase<\/b><\/div>\n<ul>\n<li>Updates released on or after July 8, 2025, will enforce the NTAuth Store check by default. The AllowNtAuthPolicyBypass registry key setting will still allow customers to move back to Audit mode if needed. However, the ability to completely disable this   security update will be removed.<\/li>\n<\/ul>\n<div class=\"ql-indent-1\">  <\/div>\n<div><b>October 14, 2025: Enforcement mode<\/b><\/div>\n<ul>\n<li>Updates released on or after October 14, 2025, will discontinue Microsoft support for the  <b>AllowNtAuthPolicyBypass<\/b> registry key. At this stage, all certificates must be issued by authorities that are a part of NTAuth store.<\/li>\n<\/ul>\n<div><b>&nbsp;<\/b><\/div>\n<div><b>How this will affect your organization:<\/b><\/div>\n<div>You are at risk when a certificate authority (CA) is part of the Windows root store but not the NTAuth store and a Subject Key Identifier (SKI) is present in a privileged account. To mitigate the risks, you must apply the protections described in  <a href=\"https:\/\/msrc.microsoft.com\/update-guide\/vulnerability\/CVE-2025-26647\" rel=\"noopener noreferrer\" target=\"_blank\">  CVE-2025-26647<\/a>.<\/div>\n<div>&nbsp;<\/div>\n<div><b>What you need to do to prepare:<\/b><\/div>\n<ol>\n<li><b>UPDATE<\/b> all domain controllers with a Windows update released on or after April 8, 2025.<\/li>\n<li><b>MONITOR<\/b> new events that will be visible on domain controllers to identify affected certificate authorities.<\/li>\n<li><b>ENABLE<\/b> Enforcement mode once your environment is no longer using certificates issued by authorities that are not in the NTAuth store.<\/li>\n<\/ol>\n<div>&nbsp;<\/div>\n<div><b>Additional information:<\/b><\/div>\n<ul>\n<li><a href=\"https:\/\/support.microsoft.com\/topic\/5f5d753b-4023-4dd3-b7b7-c8b104933d53\" rel=\"noopener noreferrer\" target=\"_blank\">KB5057784: Protections for CVE-2025-26647 (Kerberos Authentication)<\/a><\/li>\n<\/ul>\n<\/td>\n<\/tr>\n<tr>\n<th>Machine Translation<\/th>\n<td>\n<div>2025 \u5e74 4 \u6708 8 \u65e5\u4ee5\u964d\u306b\u30ea\u30ea`\u30b9\u3055\u308c\u305f Windows \u30bb\u30ad\u30e5\u30ea\u30c6\u30a3\u66f4\u65b0\u30d7\u30ed\u30b0\u30e9\u30e0\u306b\u306f\u3001Kerberos J^\u306e\u8106\u5f31\u6027\u306b\u3059\u308b\u4fddo\u304c\u542b\u307e\u308c\u3066\u3044\u307e\u3059\u3002\u3053\u306e\u8106\u5f31\u6027\u306e\u306b\u3064\u3044\u3066\u306f\u3001  <a href=\"https:\/\/msrc.microsoft.com\/update-guide\/vulnerability\/CVE-2025-26647\" rel=\"noopener noreferrer\" target=\"_blank\">  CVE-2025-26647<\/a> \u3092\u53c2\u7167\u3057\u3066\u304f\u3060\u3055\u3044\u3002<\/div>\n<div>&nbsp;<\/div>\n<div><b>\u3053\u308c\u306f\u3044\u3064\u884c\u308f\u308c\u307e\u3059\u304b:<\/b><\/div>\n<div><b>2025 \u5e74 4 \u6708 8 \u65e5: \u521d\u671f\u30c7\u30d7\u30ed\u30a4 \u30d5\u30a7`\u30ba &#8211; O\u8870\u7322`\u30c9<\/b><\/div>\n<ul>\n<li>\u521d\u671f\u30c7\u30d7\u30ed\u30a4 \u30d5\u30a7`\u30ba\u306f\u30012025 \u5e74 4 \u6708 8 \u65e5\u306b\u30ea\u30ea`\u30b9\u3055\u308c\u305f\u66f4\u65b0\u30d7\u30ed\u30b0\u30e9\u30e0\u304b\u3089\u59cb\u307e\u308a\u307e\u3059\u3002\u3053\u308c\u3089\u306e\u66f4\u65b0\u30d7\u30ed\u30b0\u30e9\u30e0\u3067\u306f\u3001 <a href=\"https:\/\/msrc.microsoft.com\/update-guide\/vulnerability\/CVE-2025-26647\" rel=\"noopener noreferrer\" target=\"_blank\">  CVE-2025-26647<\/a> \u3067h\u660e\u3055\u308c\u3066\u3044\u308b\u7279\u4e10N\u683c\u306e\u8106\u5f31\u6027\u3092\u98df\u8a3e\u5de5\u80c4\u9647\u7b4f\u5e7c\u9ccf\u82b3\u5a74\u4e39\u6b37\u84fc\u5de5\u996f\u6b37\u5236\u3059\u308b\u3082\u306e\u3067\u306f\u3042\u308a\u307e\u305b\u3093\u3002<\/li>\n<li>\u65b0\u3057\u3044\u5e7c\u9ccf\u86f4\u90e1\u6454\u8d30\u957f\u672a\u55f3\u8de3\u9884\u6978\uff37o\u3059\u308b\u305f\u3081\u306b\u306f\u3001\u3059\u3079\u3066\u306e Windows \u30c9\u30e1\u30a4\u30f3 \u30b3\u30f3\u30c8\u30ed`\u30e9`\u304c\u66f4\u65b0\u3055\u308c\u3001 <b>AllowNtAuthPolicyBypass<\/b> \u30ec\u30b8\u30b9\u30c8\u30ea \u30ad`\u306eO\u5b9a\u304c  <b>2<\/b> \u306bO\u5b9a\u3055\u308c\u3066\u3044\u308b\u3053\u3068\u3092_J\u3059\u308b\u5fc5\u8981\u304c\u3042\u308a\u307e\u3059\u3002<\/li>\n<\/ul>\n<div class=\"ql-indent-1\">  <\/div>\n<div><b>2025 \u5e74 7 \u6708 8 \u65e5: \u30c7\u30d5\u30a9\u30eb\u30c8\u306b\u3088\u308b\u5236\u30d5\u30a7`\u30ba<\/b><\/div>\n<ul>\n<li>2025 \u5e74 7 \u6708 8 \u65e5\u4ee5\u964d\u306b\u30ea\u30ea`\u30b9\u3055\u308c\u305f\u66f4\u65b0\u30d7\u30ed\u30b0\u30e9\u30e0\u3067\u306f\u3001\u65e2\u5b9a\u3067 NTAuth \u30b9\u30c8\u30a2 \u30c1\u30a7\u30c3\u30af\u304cm\u7528\u3055\u308c\u307e\u3059\u3002AllowNtAuthPolicyBypass \u30ec\u30b8\u30b9\u30c8\u30ea \u30ad`O\u5b9a\u3092\u4f7f\u7528\u3059\u308b\u3068\u3001\u5fc5\u8981\u306b\u3058\u3066O\u8870\u7322`\u30c9\u306b\u5de5\u957f\u8da3\u6266\u84fc\u57c2\uffe5\u90e1\u5764\u8d30\u957f\u8fdd\u4e92\u6fc2\u8f9a\u5339\uff18\u697c\u6293\u6041\u54ce\u6957\u5576\u86f2\u8006o\u90e1\u6454\u5de5C\u80fd\u306f\u524a\u9664\u3055\u308c\u307e\u3059\u3002<\/li>\n<\/ul>\n<div class=\"ql-indent-1\">  <\/div>\n<div><b>2025 \u5e74 10 \u6708 14 \u65e5: \u5236\u30e2`\u30c9<\/b><\/div>\n<ul>\n<li>2025 \u5e74 10 \u6708 14 \u65e5\u4ee5\u964d\u306b\u30ea\u30ea`\u30b9\u3055\u308c\u305f\u66f4\u65b0\u30d7\u30ed\u30b0\u30e9\u30e0\u3067\u306f\u3001 <b>Microsoft \u306b\u3088\u308b AllowNtAuthPolicyBypass<\/b> \u30ec\u30b8\u30b9\u30c8\u30ea \u30ad`\u306e\u30b5\u30dd`\u30c8\u304cK\u4e86\u3057\u307e\u3059\u3002\u3053\u306e\u6bb5A\u3067\u306f\u3001\u3059\u3079\u3066\u306e^\u660e\u7a00NTAuth \u30b9\u30c8\u30a2\u306e\u4e00\u90e8\u3067\u3042\u308bCv\u306b\u3088\u3063\u3066k\u884c\u3055\u308c\u308b\u5fc5\u8981\u304c\u3042\u308a\u307e\u3059\u3002<\/li>\n<\/ul>\n<div><b>&nbsp;<\/b><\/div>\n<div><b>\u3053\u308c\u304cM\u306b\u4e0e\u3048\u308b\u5f71:<\/b><\/div>\n<div>^\u660eCv (CA) \u304c Windows \u30eb`\u30c8 \u30b9\u30c8\u30a2\u306e\u4e00\u90e8\u3067\u3042\u308b\u304c NTAuth \u30b9\u30c8\u30a2\u306b\u306f\u542b\u307e\u308c\u3066\u304a\u3089\u305a\u3001\u30b5\u30d6\u30b8\u30a7\u30af\u30c8 \u30ad`Re\u5b50 (SKI) \u304c\u7279\u5eff\u0395\u8797\u8da3\u821c\u5b16\u51a5\u5de5\u9f8a\u7a00\u8f9a\u653b\u8f98\u84fc\u57c2\uff05\u8f9a\u653b\u8709Xp\u3059\u308b\u306b\u306f\u3001  <a href=\"https:\/\/msrc.microsoft.com\/update-guide\/vulnerability\/CVE-2025-26647\" rel=\"noopener noreferrer\" target=\"_blank\">  CVE-2025-26647<\/a> \u3067h\u660e\u3055\u308c\u3066\u3044\u308b\u4fddo\u3092m\u7528\u3059\u308b\u5fc5\u8981\u304c\u3042\u308a\u307e\u3059\u3002<\/div>\n<div>&nbsp;<\/div>\n<div><b>\u6d43\u5de5\u6bea\u90e1\u5e5b\u542e\u533e\u80dc\u957f:<\/b><\/div>\n<ol>\n<li>2025 \u5e74 4 \u6708 8 \u65e5\u4ee5\u964d\u306b\u30ea\u30ea`\u30b9\u3055\u308c\u305f Windows \u66f4\u65b0\u30d7\u30ed\u30b0\u30e9\u30e0\u3067\u3001\u3059\u3079\u3066\u306e\u30c9\u30e1\u30a4\u30f3 \u30b3\u30f3\u30c8\u30ed`\u30e9`<b>\u3092\u66f4\u65b0\u3057\u307e\u3059<\/b>\u3002<\/li>\n<li>\u30c9\u30e1\u30a4\u30f3 \u30b3\u30f3\u30c8\u30ed`\u30e9`\u306b\u8868\u793a\u3055\u308c\u308b\u65b0\u3057\u3044\u30a4\u30d9\u30f3\u30c8<b>\u3092O\u3057<\/b>\u3066\u3001\u5f71\u3092\u53d7\u3051\u308b^\u660eCv\u3092\u7279\u5b9a\u3057\u307e\u3059\u3002<\/li>\n<li><b>\u30a8\u30cd`\u30d6\u30eb<\/b> NTAuth \u30b9\u30c8\u30a2\u306b\u306a\u3044Cv\u306b\u3088\u3063\u3066k\u884c\u3055\u308c\u305f^\u660e\u98a6h\u5883\u3067\u4f7f\u7528\u3057\u306a\u304f\u306a\u3063\u305f\u9f8a\u6089\u5236\u30e2`\u30c9\u3002<\/li>\n<\/ol>\n<div>&nbsp;<\/div>\n<div><b>\u8ffd\u52a0\u60c5:<\/b><\/div>\n<ul>\n<li><a href=\"https:\/\/support.microsoft.com\/topic\/5f5d753b-4023-4dd3-b7b7-c8b104933d53\" rel=\"noopener noreferrer\" target=\"_blank\">KB5057784: CVE-2025-26647 (Kerberos J^) \u306b\u3059\u308b\u4fddo<\/a><\/li>\n<\/ul>\n<\/td>\n<\/tr>\n<\/tbody>\n<\/table><\/div>\n<\/div>\n","protected":false},"excerpt":{"rendered":"<p>MC1050816 | KB5057784: Protections for CVE-2025-26647 (Kerberos Authentication) Classification stayInformed La [&hellip;]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[1],"tags":[],"class_list":["post-10920","post","type-post","status-publish","format-standard","hentry","category-uncategorized"],"_links":{"self":[{"href":"https:\/\/m365jp.net\/index.php\/wp-json\/wp\/v2\/posts\/10920","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/m365jp.net\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/m365jp.net\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/m365jp.net\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/m365jp.net\/index.php\/wp-json\/wp\/v2\/comments?post=10920"}],"version-history":[{"count":0,"href":"https:\/\/m365jp.net\/index.php\/wp-json\/wp\/v2\/posts\/10920\/revisions"}],"wp:attachment":[{"href":"https:\/\/m365jp.net\/index.php\/wp-json\/wp\/v2\/media?parent=10920"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/m365jp.net\/index.php\/wp-json\/wp\/v2\/categories?post=10920"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/m365jp.net\/index.php\/wp-json\/wp\/v2\/tags?post=10920"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}