{"id":1932,"date":"2023-06-14T02:01:28","date_gmt":"2023-06-13T17:01:28","guid":{"rendered":"https:\/\/m365jp.xyz\/?p=1932"},"modified":"2023-06-14T02:03:38","modified_gmt":"2023-06-13T17:03:38","slug":"mc586070-reminder-security-hardening-changes-for-netlogon-and-kerberos-coming-in-june-and-july-2023","status":"publish","type":"post","link":"https:\/\/m365jp.net\/index.php\/2023-06-14-mc586070-reminder-security-hardening-changes-for-netlogon-and-kerberos-coming-in-june-and-july-2023","title":{"rendered":"MC586070 | Reminder: Security hardening changes for Netlogon and Kerberos coming in June and July 2023"},"content":{"rendered":"<div class=\"postie-post\">\n<div>\n<hr>\n<table id=\"section\">\n<tbody>\n<tr>\n<th width=\"95%\">MC586070 | Reminder: Security hardening changes for Netlogon and Kerberos coming in June and July 2023<\/th>\n<\/tr>\n<\/tbody>\n<\/table>\n<hr>\n<table id=\"data\">\n<tbody>\n<tr>\n<th>Classification<\/th>\n<td>planForChange<\/td>\n<\/tr>\n<tr>\n<th>Last Updated<\/th>\n<td>06\/13\/2023 16:56:40<\/td>\n<\/tr>\n<tr>\n<th>Start Time<\/th>\n<td>06\/13\/2023 16:56:31<\/td>\n<\/tr>\n<tr>\n<th>End Time<\/th>\n<td>06\/13\/2024 16:56:31<\/td>\n<\/tr>\n<tr>\n<th>Message Content<\/th>\n<td>\n<div>The November 8, 2022 and later Windows updates are crucial in addressing two important security vulnerabilities, both impacting Windows Server domain controllers (DC):<\/div>\n<ul>\n<li>Weaknesses in the Netlogon protocol when RPC signing is used instead of RPC sealing. Find more information in CVE-2022-38023.<\/li>\n<li>Kerberos security bypass and elevation of privilege vulnerabilities involving alteration of Privilege Attribute Certificate (PAC) signatures. Find more information in CVE-2022-37967.<\/li>\n<\/ul>\n<div>  <\/div>\n<div>All domain-joined, machine accounts are affected by these vulnerabilities. Review the below KB entries to understand the options available for configuring these changing security requirements in your environment, as well as monitor for warnings and issues.<\/div>\n<ul>\n<li><a href=\"https:\/\/support.microsoft.com\/topic\/kb5021130-how-to-manage-the-netlogon-protocol-changes-related-to-cve-2022-38023-46ea3067-3989-4d40-963c-680fd9e8ee25\" rel=\"noopener noreferrer\" target=\"_blank\">KB5021130: How to manage the Netlogon protocol changes   related to CVE-2022-38023<\/a><\/li>\n<li><a href=\"https:\/\/support.microsoft.com\/topic\/kb5020805-how-to-manage-kerberos-protocol-changes-related-to-cve-2022-37967-997e9acc-67c5-48e1-8d0d-190269bf4efb\" rel=\"noopener noreferrer\" target=\"_blank\">KB5020805: How to manage Kerberos protocol changes related   to CVE-2022-37967<\/a><\/li>\n<\/ul>\n<div>  <\/div>\n<div><b>When will this happen<\/b>:<\/div>\n<div>As previously announced, the following changes are coming into effect with Windows updates released on and after June 13, 2023:<\/div>\n<div>  <\/div>\n<div>Netlogon protocol changes:<\/div>\n<ul>\n<li>June 13, 2023:&nbsp;enforcement for Netlogon protocol using RPC sealing will be enabled on all domain controllers. Vulnerable connections from non-compliant devices will be blocked. It is still possible to remove this enforcement until July 2023.<\/li>\n<li>July 11, 2023: full enforcement of RPC sealing will begin and cannot be removed.<\/li>\n<\/ul>\n<div>&nbsp;<\/div>\n<div>Kerberos protocol changes:<\/div>\n<ul>\n<li>June 13: 2023: the ability to disable PAC signature addition will no longer be available. Domain controllers with the November 2022 security update or later will have signatures added to the Kerberos PAC Buffer.<\/li>\n<li>July 11, 2023: verification of signature will begin and cannot be prevented. Connections for missing or invalid signatures will continue to be allowed with an &#8220;Audit mode&#8221; setting. However, they will be denied authentication beginning October 2023.<\/li>\n<\/ul>\n<div>  <\/div>\n<div><b>How this will affect your organization:<\/b><\/div>\n<div>The security features in the November 8, 2022 update have originally been released with limited enforcement, providing the ability to manually enable and disable security hardening requirements. This allows administrators time to make any necessary changes   in their environments, until eventually all requirements can be met and full enforcement can be enabled. In the months since the November release, requirements have gradually increased. In some cases, they removed the ability to manually disable security hardening.   Administrators are encouraged to take action and adopt the hardening changes as necessary.<\/div>\n<div>  <\/div>\n<div><b>What you need to do to prepare:<\/b><\/div>\n<div>Update your Windows domain controllers with a Windows update released on or after November 8, 2022. It&#8217;s critical to review the KB entries in the Additional information section, below, to understand the options available for configuring these changing   security requirements in your environment, as well as monitor for warnings and issues.<\/div>\n<div>  <\/div>\n<div><b>Additional information:<\/b><\/div>\n<ul>\n<li><a href=\"https:\/\/support.microsoft.com\/topic\/kb5021130-how-to-manage-the-netlogon-protocol-changes-related-to-cve-2022-38023-46ea3067-3989-4d40-963c-680fd9e8ee25\" rel=\"noopener noreferrer\" target=\"_blank\">KB5021130: How to manage the Netlogon protocol changes   related to CVE-2022-38023<\/a><\/li>\n<li><a href=\"https:\/\/support.microsoft.com\/topic\/kb5020805-how-to-manage-kerberos-protocol-changes-related-to-cve-2022-37967-997e9acc-67c5-48e1-8d0d-190269bf4efb\" rel=\"noopener noreferrer\" target=\"_blank\">KB5020805: How to manage Kerberos protocol changes related   to CVE-2022-37967<\/a><\/li>\n<\/ul>\n<\/td>\n<\/tr>\n<tr>\n<th>Machine Translation<\/th>\n<td>\n<div>2022 \u5e74 11 \u6708 8 \u65e5\u4ee5\u964d\u306e Windows \u66f4\u65b0\u30d7\u30ed\u30b0\u30e9\u30e0\u306f\u3001Windows Server \u30c9\u30e1\u30a4\u30f3 \u30b3\u30f3\u30c8\u30ed\u30fc\u30e9\u30fc (DC) \u306b\u5f71\u97ff\u3092\u4e0e\u3048\u308b 2 \u3064\u306e\u91cd\u8981\u306a\u30bb\u30ad\u30e5\u30ea\u30c6\u30a3\u306e\u8106\u5f31\u6027\u306b\u5bfe\u51e6\u3059\u308b\u4e0a\u3067\u91cd\u8981\u3067\u3059\u3002<\/div>\n<ul>\n<li>RPC \u30b7\u30fc\u30ea\u30f3\u30b0\u306e\u4ee3\u308f\u308a\u306b RPC \u7f72\u540d\u3092\u4f7f\u7528\u3059\u308b\u5834\u5408\u306e Netlogon \u30d7\u30ed\u30c8\u30b3\u30eb\u306e\u8106\u5f31\u6027\u3002\u8a73\u7d30\u306b\u3064\u3044\u3066\u306f\u3001CVE-2022-38023 \u3092\u53c2\u7167\u3057\u3066\u304f\u3060\u3055\u3044\u3002<\/li>\n<li>Kerberos \u30bb\u30ad\u30e5\u30ea\u30c6\u30a3 \u30d0\u30a4\u30d1\u30b9\u304a\u3088\u3073\u7279\u6a29\u5c5e\u6027\u8a3c\u660e\u66f8 (PAC) \u7f72\u540d\u306e\u5909\u66f4\u306b\u95a2\u9023\u3059\u308b\u7279\u6a29\u306e\u6607\u683c\u306e\u8106\u5f31\u6027\u3002\u8a73\u7d30\u306b\u3064\u3044\u3066\u306f\u3001CVE-2022-37967 \u3092\u53c2\u7167\u3057\u3066\u304f\u3060\u3055\u3044\u3002<\/li>\n<\/ul>\n<div>  <\/div>\n<div>\u30c9\u30e1\u30a4\u30f3\u306b\u53c2\u52a0\u3057\u3066\u3044\u308b\u3059\u3079\u3066\u306e\u30b3\u30f3\u30d4\u30e5\u30fc\u30bf\u30fc \u30a2\u30ab\u30a6\u30f3\u30c8\u304c\u3053\u308c\u3089\u306e\u8106\u5f31\u6027\u306e\u5f71\u97ff\u3092\u53d7\u3051\u307e\u3059\u3002\u4ee5\u4e0b\u306e KB \u30a8\u30f3\u30c8\u30ea\u3092\u78ba\u8a8d\u3057\u3066\u3001\u74b0\u5883\u5185\u3067\u3053\u308c\u3089\u306e\u5909\u5316\u3059\u308b\u30bb\u30ad\u30e5\u30ea\u30c6\u30a3\u8981\u4ef6\u3092\u69cb\u6210\u3059\u308b\u305f\u3081\u306b\u4f7f\u7528\u3067\u304d\u308b\u30aa\u30d7\u30b7\u30e7\u30f3\u3092\u7406\u89e3\u3057\u3001\u8b66\u544a\u3068\u554f\u984c\u3092\u76e3\u8996\u3057\u307e\u3059\u3002<\/div>\n<ul>\n<li><a href=\"https:\/\/support.microsoft.com\/topic\/kb5021130-how-to-manage-the-netlogon-protocol-changes-related-to-cve-2022-38023-46ea3067-3989-4d40-963c-680fd9e8ee25\" rel=\"noopener noreferrer\" target=\"_blank\">KB5021130:CVE-2022-38023\u306b\u95a2\u9023\u3059\u308bNetlogon\u30d7\u30ed\u30c8\u30b3\u30eb\u306e\u5909\u66f4\u3092\u7ba1\u7406\u3059\u308b\u65b9\u6cd5<\/a><\/li>\n<li><a href=\"https:\/\/support.microsoft.com\/topic\/kb5020805-how-to-manage-kerberos-protocol-changes-related-to-cve-2022-37967-997e9acc-67c5-48e1-8d0d-190269bf4efb\" rel=\"noopener noreferrer\" target=\"_blank\">KB5020805:CVE-2022-37967\u306b\u95a2\u9023\u3059\u308bKerberos\u30d7\u30ed\u30c8\u30b3\u30eb\u306e\u5909\u66f4\u3092\u7ba1\u7406\u3059\u308b\u65b9\u6cd5<\/a><\/li>\n<\/ul>\n<div>  <\/div>\n<div><b>\u3053\u308c\u306f\u3044\u3064\u8d77\u3053\u308a\u307e\u3059<\/b>\u304b:<\/div>\n<div>\u4ee5\u524d\u306b\u767a\u8868\u3055\u308c\u305f\u3088\u3046\u306b\u3001\u6b21\u306e\u5909\u66f4\u306f\u30012023 \u5e74 6 \u6708 13 \u65e5\u4ee5\u964d\u306b\u30ea\u30ea\u30fc\u30b9\u3055\u308c\u305f Windows \u66f4\u65b0\u30d7\u30ed\u30b0\u30e9\u30e0\u3067\u6709\u52b9\u306b\u306a\u308a\u307e\u3059\u3002<\/div>\n<div>  <\/div>\n<div>\u30cd\u30c3\u30c8\u30ed\u30b0\u30aa\u30f3\u30d7\u30ed\u30c8\u30b3\u30eb\u306e\u5909\u66f4:<\/div>\n<ul>\n<li>2023 \u5e74 6 \u6708 13 \u65e5:&nbsp;RPC \u5c01\u5370\u3092\u4f7f\u7528\u3057\u305f Netlogon \u30d7\u30ed\u30c8\u30b3\u30eb\u306e\u9069\u7528\u304c\u3001\u3059\u3079\u3066\u306e\u30c9\u30e1\u30a4\u30f3 \u30b3\u30f3\u30c8\u30ed\u30fc\u30e9\u30fc\u3067\u6709\u52b9\u306b\u306a\u308a\u307e\u3059\u3002\u975e\u6e96\u62e0\u30c7\u30d0\u30a4\u30b9\u304b\u3089\u306e\u8106\u5f31\u306a\u63a5\u7d9a\u306f\u30d6\u30ed\u30c3\u30af\u3055\u308c\u307e\u3059\u3002\u3053\u306e\u9069\u7528\u306f 2023 \u5e74 7 \u6708\u307e\u3067\u524a\u9664\u3067\u304d\u307e\u3059\u3002<\/li>\n<li>2023 \u5e74 7 \u6708 11 \u65e5: RPC \u30b7\u30fc\u30ea\u30f3\u30b0\u306e\u5b8c\u5168\u306a\u9069\u7528\u304c\u958b\u59cb\u3055\u308c\u3001\u524a\u9664\u3059\u308b\u3053\u3068\u306f\u3067\u304d\u307e\u305b\u3093\u3002<\/li>\n<\/ul>\n<div>&nbsp;<\/div>\n<div>Kerberos \u30d7\u30ed\u30c8\u30b3\u30eb\u306e\u5909\u66f4:<\/div>\n<ul>\n<li>6 \u6708 13 \u65e5: 2023: PAC \u7f72\u540d\u306e\u8ffd\u52a0\u3092\u7121\u52b9\u306b\u3059\u308b\u6a5f\u80fd\u306f\u5229\u7528\u3067\u304d\u306a\u304f\u306a\u308a\u307e\u3059\u30022022 \u5e74 11 \u6708\u4ee5\u964d\u306e\u30bb\u30ad\u30e5\u30ea\u30c6\u30a3\u66f4\u65b0\u30d7\u30ed\u30b0\u30e9\u30e0\u304c\u9069\u7528\u3055\u308c\u305f\u30c9\u30e1\u30a4\u30f3 \u30b3\u30f3\u30c8\u30ed\u30fc\u30e9\u30fc\u3067\u306f\u3001Kerberos PAC \u30d0\u30c3\u30d5\u30a1\u30fc\u306b\u7f72\u540d\u304c\u8ffd\u52a0\u3055\u308c\u307e\u3059\u3002<\/li>\n<li>2023\u5e747\u670811\u65e5:\u7f72\u540d\u306e\u691c\u8a3c\u304c\u958b\u59cb\u3055\u308c\u3001\u9632\u6b62\u3059\u308b\u3053\u3068\u306f\u3067\u304d\u307e\u305b\u3093\u3002\u6b20\u843d\u307e\u305f\u306f\u7121\u52b9\u306a\u7f72\u540d\u306e\u63a5\u7d9a\u306f\u3001\u300c\u76e3\u67fb\u30e2\u30fc\u30c9\u300d\u8a2d\u5b9a\u3067\u5f15\u304d\u7d9a\u304d\u8a31\u53ef\u3055\u308c\u307e\u3059\u3002\u305f\u3060\u3057\u30012023 \u5e74 10 \u6708\u4ee5\u964d\u306f\u8a8d\u8a3c\u304c\u62d2\u5426\u3055\u308c\u307e\u3059\u3002<\/li>\n<\/ul>\n<div>  <\/div>\n<div><b>\u3053\u308c\u304c\u7d44\u7e54\u306b\u4e0e\u3048\u308b\u5f71\u97ff:<\/b><\/div>\n<div>2022 \u5e74 11 \u6708 8 \u65e5\u306e\u66f4\u65b0\u30d7\u30ed\u30b0\u30e9\u30e0\u306e\u30bb\u30ad\u30e5\u30ea\u30c6\u30a3\u6a5f\u80fd\u306f\u3001\u3082\u3068\u3082\u3068\u5236\u9650\u3055\u308c\u305f\u9069\u7528\u3067\u30ea\u30ea\u30fc\u30b9\u3055\u308c\u3066\u304a\u308a\u3001\u30bb\u30ad\u30e5\u30ea\u30c6\u30a3\u5f37\u5316\u8981\u4ef6\u3092\u624b\u52d5\u3067\u6709\u52b9\u307e\u305f\u306f\u7121\u52b9\u306b\u3059\u308b\u6a5f\u80fd\u3092\u63d0\u4f9b\u3057\u307e\u3059\u3002\u3053\u308c\u306b\u3088\u308a\u3001\u7ba1\u7406\u8005\u306f\u3001\u6700\u7d42\u7684\u306b\u3059\u3079\u3066\u306e\u8981\u4ef6\u304c\u6e80\u305f\u3055\u308c\u3001\u5b8c\u5168\u306a\u9069\u7528\u304c\u6709\u52b9\u306b\u306a\u308b\u307e\u3067\u3001\u74b0\u5883\u306b\u5fc5\u8981\u306a\u5909\u66f4\u3092\u52a0\u3048\u308b\u3053\u3068\u304c\u3067\u304d\u307e\u3059\u300211 \u6708\u306e\u30ea\u30ea\u30fc\u30b9\u304b\u3089\u6570\u304b\u6708\u3067\u3001\u8981\u4ef6\u306f\u5f90\u3005\u306b\u5897\u52a0\u3057\u3066\u3044\u307e\u3059\u3002\u5834\u5408\u306b\u3088\u3063\u3066\u306f\u3001\u30bb\u30ad\u30e5\u30ea\u30c6\u30a3\u5f37\u5316\u3092\u624b\u52d5\u3067\u7121\u52b9\u306b\u3059\u308b\u6a5f\u80fd\u304c\u524a\u9664\u3055\u308c\u307e\u3057\u305f\u3002\u7ba1\u7406\u8005\u306f\u3001\u30a2\u30af\u30b7\u30e7\u30f3\u3092\u5b9f\u884c\u3057\u3001\u5fc5\u8981\u306b\u5fdc\u3058\u3066\u5f37\u5316\u306e\u5909\u66f4\u3092\u63a1\u7528\u3059\u308b\u3053\u3068\u3092\u304a\u52e7\u3081\u3057\u307e\u3059\u3002<\/div>\n<div>  <\/div>\n<div><b>\u6e96\u5099\u3059\u308b\u305f\u3081\u306b\u5fc5\u8981\u306a\u3053\u3068:<\/b><\/div>\n<div>2022 \u5e74 11 \u6708 8 \u65e5\u4ee5\u964d\u306b\u30ea\u30ea\u30fc\u30b9\u3055\u308c\u305f Windows \u66f4\u65b0\u30d7\u30ed\u30b0\u30e9\u30e0\u3067 Windows \u30c9\u30e1\u30a4\u30f3 \u30b3\u30f3\u30c8\u30ed\u30fc\u30e9\u30fc\u3092\u66f4\u65b0\u3057\u307e\u3059\u3002\u4ee5\u4e0b\u306e\u300c\u8ffd\u52a0\u60c5\u5831\u300d\u30bb\u30af\u30b7\u30e7\u30f3\u306e KB \u30a8\u30f3\u30c8\u30ea\u3092\u78ba\u8a8d\u3057\u3066\u3001\u74b0\u5883\u5185\u3067\u3053\u308c\u3089\u306e\u5909\u5316\u3059\u308b\u30bb\u30ad\u30e5\u30ea\u30c6\u30a3\u8981\u4ef6\u3092\u69cb\u6210\u3059\u308b\u305f\u3081\u306b\u4f7f\u7528\u3067\u304d\u308b\u30aa\u30d7\u30b7\u30e7\u30f3\u3092\u7406\u89e3\u3057\u3001\u8b66\u544a\u3068\u554f\u984c\u3092\u76e3\u8996\u3059\u308b\u3053\u3068\u304c\u91cd\u8981\u3067\u3059\u3002<\/div>\n<div>  <\/div>\n<div><b>\u8ffd\u52a0\u60c5\u5831:<\/b><\/div>\n<ul>\n<li><a href=\"https:\/\/support.microsoft.com\/topic\/kb5021130-how-to-manage-the-netlogon-protocol-changes-related-to-cve-2022-38023-46ea3067-3989-4d40-963c-680fd9e8ee25\" rel=\"noopener noreferrer\" target=\"_blank\">KB5021130:CVE-2022-38023\u306b\u95a2\u9023\u3059\u308bNetlogon\u30d7\u30ed\u30c8\u30b3\u30eb\u306e\u5909\u66f4\u3092\u7ba1\u7406\u3059\u308b\u65b9\u6cd5<\/a><\/li>\n<li><a href=\"https:\/\/support.microsoft.com\/topic\/kb5020805-how-to-manage-kerberos-protocol-changes-related-to-cve-2022-37967-997e9acc-67c5-48e1-8d0d-190269bf4efb\" rel=\"noopener noreferrer\" target=\"_blank\">KB5020805:CVE-2022-37967\u306b\u95a2\u9023\u3059\u308bKerberos\u30d7\u30ed\u30c8\u30b3\u30eb\u306e\u5909\u66f4\u3092\u7ba1\u7406\u3059\u308b\u65b9\u6cd5<\/a><\/li>\n<\/ul>\n<\/td>\n<\/tr>\n<\/tbody>\n<\/table><\/div>\n<\/div>\n","protected":false},"excerpt":{"rendered":"<p>MC586070 | Reminder: Security hardening changes for Netlogon and Kerberos coming in June and July 2023 Classif [&hellip;]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[1],"tags":[],"class_list":["post-1932","post","type-post","status-publish","format-standard","hentry","category-uncategorized"],"_links":{"self":[{"href":"https:\/\/m365jp.net\/index.php\/wp-json\/wp\/v2\/posts\/1932","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/m365jp.net\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/m365jp.net\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/m365jp.net\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/m365jp.net\/index.php\/wp-json\/wp\/v2\/comments?post=1932"}],"version-history":[{"count":0,"href":"https:\/\/m365jp.net\/index.php\/wp-json\/wp\/v2\/posts\/1932\/revisions"}],"wp:attachment":[{"href":"https:\/\/m365jp.net\/index.php\/wp-json\/wp\/v2\/media?parent=1932"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/m365jp.net\/index.php\/wp-json\/wp\/v2\/categories?post=1932"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/m365jp.net\/index.php\/wp-json\/wp\/v2\/tags?post=1932"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}