{"id":1096,"date":"2023-04-14T03:00:54","date_gmt":"2023-04-13T18:00:54","guid":{"rendered":"https:\/\/m365jp.xyz\/?p=1096"},"modified":"2023-04-14T03:01:33","modified_gmt":"2023-04-13T18:01:33","slug":"mc541054-changes-to-the-deployment-phase-for-cve-2022-37967-now-beginning-june-13-2023","status":"publish","type":"post","link":"https:\/\/m365jp.net\/index.php\/2023-04-14-mc541054-changes-to-the-deployment-phase-for-cve-2022-37967-now-beginning-june-13-2023","title":{"rendered":"MC541054 | Changes to the deployment phase for CVE-2022-37967 – now beginning June 13, 2023"},"content":{"rendered":"
\n
\n
\n\n\n\n
MC541054 | Changes to the deployment phase for CVE-2022-37967 – now beginning June 13, 2023<\/th>\n<\/tr>\n<\/tbody>\n<\/table>\n
\n\n\n\n\n\n\n\n\n
Classification<\/th>\npreventOrFixIssue<\/td>\n<\/tr>\n
Last Updated<\/th>\n04\/13\/2023 17:28:05<\/td>\n<\/tr>\n
Start Time<\/th>\n04\/13\/2023 17:28:03<\/td>\n<\/tr>\n
End Time<\/th>\n04\/13\/2024 17:28:03<\/td>\n<\/tr>\n
Message Content<\/th>\n\n
Security hardening changes needed on domain controllers in IT environments to address CVE-2022-37967<\/a> will enter a new phase of security requirement, as outlined in KB5020805: How to manage Kerberos protocol changes related to CVE-2022-37967<\/a> on June 13, 2023. Previous announcements had listed this change as taking place in April, however, that date has changed.<\/div>\n
<\/div>\n
Each phase raises the default minimum for the security hardening changes for CVE-2022-37967<\/a>, and environments must be compliant before installing updates for each phase onto your domain controller.<\/div>\n
<\/div>\n
When this will happen:<\/b><\/div>\n
Starting June 13, 2023, updates addressing CVE-2022-37967<\/a> will enter a new phase of security requirements. There will also be two more phases later in the year: July 11, 2023 begins initial enforcement phase, and October 10, 2023 begins full enforcement phase.<\/div>\n
<\/div>\n
How this will affect your organization:<\/b><\/div>\n
At this time, it’s still possible to bypass security hardening requirements using the guidance provided in KB5020805<\/a>. However, beginning with the June 13, 2023 updates, the ability to bypass hardening measures will be reduced. To help protect your environment and prevent outages, we recommend that you carry out the following steps:<\/div>\n
<\/div>\n
    \n
  1. UPDATE <\/b>your Windows domain controllers with a Windows update released on or after November 8, 2022<\/li>\n
  2. MOVE <\/b>your Windows domain controllers to Audit mode by using the Registry Key setting<\/a><\/li>\n
  3. MONITOR<\/b> events filed during Audit mode to secure your environment<\/li>\n
  4. ENABLE e<\/b>nforcement mode to address CVE-2022-37967<\/a> in your environment<\/li>\n<\/ol>\n
    <\/div>\n
    To enable all parts of the security hardening in your environment, it is recommended to move to enforcement mode as soon as possible. Your environment must be compliant with the hardening changes before installing updates for each phase onto your domain controller.<\/div>\n
    <\/div>\n
    What you need to do to prepare:<\/b><\/div>\n
    Starting July 2023, e nforcement mode will be enabled on all Windows domain controllers and will block vulnerable connections from non-compliant devices. At that time, you will not be able to disable the update, but may move back to the Audit mode setting. Audit mode will be removed in October 2023, as outlined in the Timing of updates to address Kerberos vulnerability CVE-2022-37967<\/a> section.<\/div>\n
    <\/div>\n
    With each additional deployment phase, environments will be required to accept new security measures. Take note of the changes taking place in each phase and prepare for changes:<\/div>\n
Machine Translation<\/th>\n\n
CVE-2022-37967\u306b\u5bfe\u51e6\u3059\u308b\u305f\u3081\u306bIT\u74b0\u5883\u306e\u30c9\u30e1\u30a4\u30f3\u30b3\u30f3\u30c8\u30ed\u30fc\u30e9\u30fc\u306b\u5fc5\u8981\u306a\u30bb\u30ad\u30e5\u30ea\u30c6\u30a3\u5f37\u5316\u306e\u5909\u66f4\u306f\u3001KB5020805:2023\u5e746\u670813\u65e5\u306eCVE-2022-37967\u306b\u95a2\u9023\u3059\u308bKerberos\u30d7\u30ed\u30c8\u30b3\u30eb\u306e\u5909\u66f4\u3092\u7ba1\u7406\u3059\u308b\u65b9\u6cd5<\/a>\u3067\u8aac\u660e\u3055\u308c\u3066\u3044\u308b\u3088\u3046\u306b\u3001\u30bb\u30ad\u30e5\u30ea\u30c6\u30a3\u8981\u4ef6\u306e\u65b0\u3057\u3044\u30d5\u30a7\u30fc\u30ba\u306b\u5165\u308a\u307e\u3059\u3002<\/a>\u4ee5\u524d\u306e\u767a\u8868\u3067\u306f\u3001\u3053\u306e\u5909\u66f4\u306f4\u6708\u306b\u884c\u308f\u308c\u308b\u3068\u8a18\u8f09\u3055\u308c\u3066\u3044\u307e\u3057\u305f\u304c\u3001\u305d\u306e\u65e5\u4ed8\u306f\u5909\u66f4\u3055\u308c\u307e\u3057\u305f\u3002<\/div>\n
<\/div>\n
\u5404\u30d5\u30a7\u30fc\u30ba\u3067\u306f\u3001 CVE-2022-37967<\/a> \u306e\u30bb\u30ad\u30e5\u30ea\u30c6\u30a3\u5f37\u5316\u306e\u5909\u66f4\u306e\u65e2\u5b9a\u306e\u6700\u5c0f\u5024\u304c\u5f15\u304d\u4e0a\u3052\u3089\u308c\u3001\u5404\u30d5\u30a7\u30fc\u30ba\u306e\u66f4\u65b0\u30d7\u30ed\u30b0\u30e9\u30e0\u3092\u30c9\u30e1\u30a4\u30f3 \u30b3\u30f3\u30c8\u30ed\u30fc\u30e9\u30fc\u306b\u30a4\u30f3\u30b9\u30c8\u30fc\u30eb\u3059\u308b\u524d\u306b\u3001\u74b0\u5883\u304c\u6e96\u62e0\u3057\u3066\u3044\u308b\u5fc5\u8981\u304c\u3042\u308a\u307e\u3059\u3002<\/div>\n
<\/div>\n
\u3053\u308c\u304c\u767a\u751f\u3059\u308b\u5834\u5408:<\/b><\/div>\n
2023 \u5e74 6 \u6708 13 \u65e5\u4ee5\u964d\u3001 CVE-2022-37967<\/a> \u306b\u5bfe\u51e6\u3059\u308b\u66f4\u65b0\u30d7\u30ed\u30b0\u30e9\u30e0\u306f\u3001\u30bb\u30ad\u30e5\u30ea\u30c6\u30a3\u8981\u4ef6\u306e\u65b0\u3057\u3044\u30d5\u30a7\u30fc\u30ba\u306b\u5165\u308a\u307e\u3059\u3002\u307e\u305f\u30012023\u5e747\u670811\u65e5\u304c\u6700\u521d\u306e\u65bd\u884c\u30d5\u30a7\u30fc\u30ba\u3092\u958b\u59cb\u3057\u30012023\u5e7410\u670810\u65e5\u306b\u5b8c\u5168\u306a\u65bd\u884c\u30d5\u30a7\u30fc\u30ba\u3092\u958b\u59cb\u3059\u308b\u3068\u3044\u3046\u3001\u4eca\u5e74\u306e\u5f8c\u534a\u306b\u3055\u3089\u306b2\u3064\u306e\u30d5\u30a7\u30fc\u30ba\u304c\u3042\u308a\u307e\u3059\u3002<\/div>\n
<\/div>\n
\u3053\u308c\u304c\u7d44\u7e54\u306b\u4e0e\u3048\u308b\u5f71\u97ff:<\/b><\/div>\n
\u73fe\u6642\u70b9\u3067\u306f\u3001 KB5020805<\/a> \u3067\u63d0\u4f9b\u3055\u308c\u3066\u3044\u308b\u30ac\u30a4\u30c0\u30f3\u30b9\u3092\u4f7f\u7528\u3057\u3066\u3001\u30bb\u30ad\u30e5\u30ea\u30c6\u30a3\u5f37\u5316\u8981\u4ef6\u3092\u56de\u907f\u3067\u304d\u307e\u3059\u3002\u305f\u3060\u3057\u30012023 \u5e74 6 \u6708 13 \u65e5\u306e\u66f4\u65b0\u4ee5\u964d\u3001\u5f37\u5316\u5bfe\u7b56\u3092\u56de\u907f\u3059\u308b\u6a5f\u80fd\u306f\u4f4e\u4e0b\u3057\u307e\u3059\u3002\u74b0\u5883\u3092\u4fdd\u8b77\u3057\u3001\u505c\u6b62\u3092\u9632\u3050\u305f\u3081\u306b\u3001\u6b21\u306e\u624b\u9806\u3092\u5b9f\u884c\u3059\u308b\u3053\u3068\u3092\u304a\u52e7\u3081\u3057\u307e\u3059\u3002<\/div>\n
<\/div>\n
    \n
  1. 2022 \u5e74 11 \u6708 8 \u65e5\u4ee5\u964d\u306b\u30ea\u30ea\u30fc\u30b9\u3055\u308c\u305f Windows \u66f4\u65b0\u30d7\u30ed\u30b0\u30e9\u30e0\u3067 Windows \u30c9\u30e1\u30a4\u30f3 \u30b3\u30f3\u30c8\u30ed\u30fc\u30e9\u30fc\u3092\u66f4\u65b0\u3057\u307e\u3059 <\/b>\u3002<\/li>\n
  2. \u30ec\u30b8\u30b9\u30c8\u30ea \u30ad\u30fc\u8a2d\u5b9a<\/a>\u3092\u4f7f\u7528\u3057\u3066 Windows \u30c9\u30e1\u30a4\u30f3 \u30b3\u30f3\u30c8\u30ed\u30fc\u30e9\u30fc\u3092\u76e3\u67fb\u30e2\u30fc\u30c9\u306b\u79fb\u884c\u3059\u308b <\/b><\/li>\n
  3. \u74b0\u5883\u3092\u30bb\u30ad\u30e5\u30ea\u30c6\u30a3\u3067\u4fdd\u8b77\u3059\u308b\u305f\u3081\u306b\u76e3\u67fb\u30e2\u30fc\u30c9\u4e2d\u306b \u63d0\u51fa\u3055\u308c\u305f MONITOR<\/b> \u30a4\u30d9\u30f3\u30c8<\/li>\n
  4. \u5f37\u5316\u30e2\u30fc\u30c9\u3092\u6709\u52b9\u306b <\/b>\u3057\u3066\u3001\u74b0\u5883\u3067CVE-2022-37967<\/a> \u306b\u5bfe\u51e6 \u3057\u307e\u3059<\/li>\n<\/ol>\n
    <\/div>\n
    \u74b0\u5883\u5185\u306e\u3059\u3079\u3066\u306e\u30bb\u30ad\u30e5\u30ea\u30c6\u30a3\u5f37\u5316\u3092\u6709\u52b9\u306b\u3059\u308b\u306b\u306f\u3001\u3067\u304d\u308b\u3060\u3051\u65e9\u304f\u5f37\u5236\u30e2\u30fc\u30c9\u306b\u79fb\u884c\u3059\u308b\u3053\u3068\u3092\u304a\u52e7\u3081\u3057\u307e\u3059\u3002\u74b0\u5883\u306f\u3001\u5404\u30d5\u30a7\u30fc\u30ba\u306e\u66f4\u65b0\u30d7\u30ed\u30b0\u30e9\u30e0\u3092\u30c9\u30e1\u30a4\u30f3 \u30b3\u30f3\u30c8\u30ed\u30fc\u30e9\u30fc\u306b\u30a4\u30f3\u30b9\u30c8\u30fc\u30eb\u3059\u308b\u524d\u306b\u3001\u30bb\u30ad\u30e5\u30ea\u30c6\u30a3\u5f37\u5316\u306e\u5909\u66f4\u306b\u6e96\u62e0\u3057\u3066\u3044\u308b\u5fc5\u8981\u304c\u3042\u308a\u307e\u3059\u3002<\/div>\n
    <\/div>\n
    \u6e96\u5099\u3059\u308b\u305f\u3081\u306b\u5fc5\u8981\u306a\u3053\u3068:<\/b><\/div>\n
    2023 \u5e74 7 \u6708\u4ee5\u964d\u3001\u5f37\u5316\u30e2\u30fc\u30c9\u306f\u3059\u3079\u3066\u306e Windows \u30c9\u30e1\u30a4\u30f3 \u30b3\u30f3\u30c8\u30ed\u30fc\u30e9\u30fc\u3067\u6709\u52b9\u306b\u306a\u308a\u3001\u975e\u6e96\u62e0\u30c7\u30d0\u30a4\u30b9\u304b\u3089\u306e\u8106\u5f31\u306a \u63a5\u7d9a\u3092\u30d6\u30ed\u30c3\u30af\u3057\u307e\u3059\u3002 \u305d\u306e\u6642\u70b9\u3067\u306f\u3001\u66f4\u65b0\u3092\u7121\u52b9\u306b\u3059\u308b\u3053\u3068\u306f\u3067\u304d\u307e\u305b\u3093\u304c\u3001[\u76e3\u67fb\u30e2\u30fc\u30c9] \u8a2d\u5b9a\u306b\u623b\u308b\u3053\u3068\u304c\u3067\u304d\u307e\u3059\u3002 \u76e3\u67fb\u30e2\u30fc\u30c9\u306f\u3001\u300cKerberos \u306e\u8106\u5f31\u6027 CVE-2022-37967 \u306b\u5bfe\u51e6\u3059\u308b\u305f\u3081\u306e\u66f4\u65b0\u306e\u30bf\u30a4\u30df\u30f3\u30b0<\/a>\u300d\u30bb\u30af\u30b7\u30e7\u30f3\u3067\u8aac\u660e\u3055\u308c\u3066\u3044\u308b \u3088\u3046\u306b\u30012023 \u5e74 10 \u6708\u306b\u524a\u9664\u3055\u308c\u307e\u3059\u3002 <\/div>\n
    <\/div>\n
    \u8ffd\u52a0\u306e\u5c55\u958b\u30d5\u30a7\u30fc\u30ba\u3054\u3068\u306b\u3001\u74b0\u5883\u306f\u65b0\u3057\u3044\u30bb\u30ad\u30e5\u30ea\u30c6\u30a3\u5bfe\u7b56\u3092\u53d7\u3051\u5165\u308c\u308b\u5fc5\u8981\u304c\u3042\u308a\u307e\u3059\u3002\u5404\u30d5\u30a7\u30fc\u30ba\u3067\u767a\u751f\u3059\u308b\u5909\u66f4\u306b\u6ce8\u610f\u3057\u3001\u5909\u66f4\u306e\u6e96\u5099\u3092\u3057\u307e\u3059\u3002<\/div>\n