{"id":3156,"date":"2023-09-12T02:00:47","date_gmt":"2023-09-11T17:00:47","guid":{"rendered":"https:\/\/m365jp.xyz\/?p=3156"},"modified":"2023-09-12T02:40:59","modified_gmt":"2023-09-11T17:40:59","slug":"mc674685-reminder-security-hardening-changes-for-netlogon-and-kerberos-effective-october-10-2023","status":"publish","type":"post","link":"https:\/\/m365jp.net\/index.php\/2023-09-12-mc674685-reminder-security-hardening-changes-for-netlogon-and-kerberos-effective-october-10-2023","title":{"rendered":"MC674685 | Reminder: Security hardening changes for Netlogon and Kerberos effective October 10, 2023"},"content":{"rendered":"<div class=\"postie-post\">\n<div>\n<hr>\n<table id=\"section\">\n<tbody>\n<tr>\n<th width=\"95%\">MC674685 | Reminder: Security hardening changes for Netlogon and Kerberos effective October 10, 2023<\/th>\n<\/tr>\n<\/tbody>\n<\/table>\n<hr>\n<table id=\"data\">\n<tbody>\n<tr>\n<th>Classification<\/th>\n<td>planForChange<\/td>\n<\/tr>\n<tr>\n<th>Last Updated<\/th>\n<td>09\/11\/2023 16:53:32<\/td>\n<\/tr>\n<tr>\n<th>Start Time<\/th>\n<td>09\/11\/2023 16:53:30<\/td>\n<\/tr>\n<tr>\n<th>End Time<\/th>\n<td>09\/11\/2024 16:53:30<\/td>\n<\/tr>\n<tr>\n<th>Message Content<\/th>\n<td>\n<div>Windows updates released November 8, 2022 and later include changes that address security vulnerabilities affecting Windows Server domain controllers (DC). Among the addressed vulnerabilities is a Kerberos security bypass and elevation of privilege scenario   involving alteration of Privilege Attribute Certificate (PAC) signatures. Changes to address this issue have been released following a series of phases throughout 2023, and are reaching the final stage of enforcement in October.<\/div>\n<div>  <\/div>\n<div>All domain-joined, machine accounts are affected by these vulnerabilities. For details on configuring these security requirements in your environment see  <a href=\"https:\/\/support.microsoft.com\/topic\/kb5020805-how-to-manage-kerberos-protocol-changes-related-to-cve-2022-37967-997e9acc-67c5-48e1-8d0d-190269bf4efb\" rel=\"noopener noreferrer\" target=\"_blank\">  KB5020805: How to manage Kerberos protocol changes related to CVE-2022-37967<\/a>.<\/div>\n<div>  <\/div>\n<div><b>When will this happen<\/b>:<\/div>\n<div>As previously announced, Windows updates released on and after this October 10, 2023 will have the following effect:<\/div>\n<div>  <\/div>\n<ul>\n<li>Remove the ability to disable PAC signature addition (previously done via the registry subkey KrbtgtFullPacSignature)<\/li>\n<li>Remove support for Audit mode (this enabled authentication whether PAC signatures were missing or invalid, and created audit logs for review).<\/li>\n<li>Deny authentication to incoming service tickets without the new PAC signatures.<\/li>\n<\/ul>\n<div>  <\/div>\n<div><b>How this will affect your organization:<\/b><\/div>\n<div>The security features in the November 8, 2022 update were originally released with limited enforcement, providing the ability to manually enable and disable security hardening requirements. This was intended to allow administrators time to make any necessary   changes in their environments, until eventually all requirements can be met and full enforcement can be enabled. In the months since that November 2022 release, requirements have gradually increased. The October 10, 2023 release is the final phase of these   security hardening measures, and removes the ability to manually disable security hardening.<\/div>\n<div>  <\/div>\n<div>Organizations which have not taken action to adopt the hardening changes as necessary will be at risk of business disruption after this October update. Administrators are encouraged to take action and adopt the necessary changes as soon as possible.<\/div>\n<div>  <\/div>\n<div><b>What you need to do to prepare:<\/b><\/div>\n<div>Update your Windows domain controllers with a Windows update released on or after November 8, 2022. It&#8217;s critical to review the KB entries in the Additional information section, below, to understand the options available for configuring these security   requirements in your environment.<\/div>\n<div>  <\/div>\n<div><b>Additional information:<\/b><\/div>\n<ul>\n<li><a href=\"https:\/\/support.microsoft.com\/topic\/kb5020805-how-to-manage-kerberos-protocol-changes-related-to-cve-2022-37967-997e9acc-67c5-48e1-8d0d-190269bf4efb\" rel=\"noopener noreferrer\" target=\"_blank\">KB5020805: How to manage Kerberos protocol changes related   to CVE-2022-37967<\/a><\/li>\n<\/ul>\n<\/td>\n<\/tr>\n<tr>\n<th>Machine Translation<\/th>\n<td>\n<div>2022 \u5e74 11 \u6708 8 \u65e5\u4ee5\u964d\u306b\u30ea\u30ea\u30fc\u30b9\u3055\u308c\u305f Windows \u66f4\u65b0\u30d7\u30ed\u30b0\u30e9\u30e0\u306b\u306f\u3001Windows Server \u30c9\u30e1\u30a4\u30f3 \u30b3\u30f3\u30c8\u30ed\u30fc\u30e9\u30fc (DC) \u306b\u5f71\u97ff\u3092\u4e0e\u3048\u308b\u30bb\u30ad\u30e5\u30ea\u30c6\u30a3\u306e\u8106\u5f31\u6027\u306b\u5bfe\u51e6\u3059\u308b\u5909\u66f4\u304c\u542b\u307e\u308c\u3066\u3044\u307e\u3059\u3002\u89e3\u6c7a\u3055\u308c\u305f\u8106\u5f31\u6027\u306e\u4e2d\u306b\u306f\u3001\u7279\u6a29\u5c5e\u6027\u8a3c\u660e\u66f8 (PAC) \u7f72\u540d\u306e\u5909\u66f4\u3092\u542b\u3080 Kerberos \u30bb\u30ad\u30e5\u30ea\u30c6\u30a3 \u30d0\u30a4\u30d1\u30b9\u304a\u3088\u3073\u7279\u6a29\u306e\u6607\u683c\u306e\u30b7\u30ca\u30ea\u30aa\u304c\u3042\u308a\u307e\u3059\u3002\u3053\u306e\u554f\u984c\u306b\u5bfe\u51e6\u3059\u308b\u305f\u3081\u306e\u5909\u66f4\u306f\u30012023\u5e74\u3092\u901a\u3058\u3066\u4e00\u9023\u306e\u30d5\u30a7\u30fc\u30ba\u3092\u7d4c\u3066\u30ea\u30ea\u30fc\u30b9\u3055\u308c\u300110\u6708\u306b\u65bd\u884c\u306e\u6700\u7d42\u6bb5\u968e\u306b\u9054\u3057\u3066\u3044\u307e\u3059\u3002<\/div>\n<div>  <\/div>\n<div>\u30c9\u30e1\u30a4\u30f3\u306b\u53c2\u52a0\u3057\u3066\u3044\u308b\u3059\u3079\u3066\u306e\u30de\u30b7\u30f3 \u30a2\u30ab\u30a6\u30f3\u30c8\u304c\u3001\u3053\u308c\u3089\u306e\u8106\u5f31\u6027\u306e\u5f71\u97ff\u3092\u53d7\u3051\u307e\u3059\u3002\u74b0\u5883\u3067\u3053\u308c\u3089\u306e\u30bb\u30ad\u30e5\u30ea\u30c6\u30a3\u8981\u4ef6\u3092\u69cb\u6210\u3059\u308b\u65b9\u6cd5\u306e\u8a73\u7d30\u306b\u3064\u3044\u3066\u306f\u3001\u300c <a href=\"https:\/\/support.microsoft.com\/topic\/kb5020805-how-to-manage-kerberos-protocol-changes-related-to-cve-2022-37967-997e9acc-67c5-48e1-8d0d-190269bf4efb\" rel=\"noopener noreferrer\" target=\"_blank\">  KB5020805: CVE-2022-37967 \u306b\u95a2\u9023\u3059\u308b Kerberos \u30d7\u30ed\u30c8\u30b3\u30eb\u306e\u5909\u66f4\u3092\u7ba1\u7406\u3059\u308b\u65b9\u6cd5\u300d\u3092\u53c2\u7167\u3057\u3066\u304f\u3060\u3055\u3044<\/a>\u3002<\/div>\n<div>  <\/div>\n<div><b>\u3053\u308c\u306f\u3044\u3064\u8d77\u3053\u308a\u307e\u3059<\/b>\u304b:<\/div>\n<div>\u4ee5\u524d\u306b\u767a\u8868\u3055\u308c\u305f\u3088\u3046\u306b\u3001\u3053\u306e2023\u5e7410\u670810\u65e5\u4ee5\u964d\u306b\u30ea\u30ea\u30fc\u30b9\u3055\u308c\u305fWindows\u66f4\u65b0\u30d7\u30ed\u30b0\u30e9\u30e0\u306b\u306f\u3001\u6b21\u306e\u5f71\u97ff\u304c\u3042\u308a\u307e\u3059\u3002<\/div>\n<div>  <\/div>\n<ul>\n<li>PAC \u7f72\u540d\u306e\u8ffd\u52a0\u3092\u7121\u52b9\u306b\u3059\u308b\u6a5f\u80fd\u3092\u524a\u9664\u3059\u308b (\u4ee5\u524d\u306f\u30ec\u30b8\u30b9\u30c8\u30ea \u30b5\u30d6\u30ad\u30fc KrbtgtFullPacSignature \u3092\u4f7f\u7528\u3057\u3066\u884c\u3063\u3066\u3044\u307e\u3057\u305f)<\/li>\n<li>\u76e3\u67fb\u30e2\u30fc\u30c9\u306e\u30b5\u30dd\u30fc\u30c8\u3092\u524a\u9664\u3057\u307e\u3059 (\u3053\u308c\u306b\u3088\u308a\u3001PAC \u7f72\u540d\u304c\u6b20\u843d\u3057\u3066\u3044\u308b\u304b\u7121\u52b9\u3067\u3042\u308b\u304b\u306b\u95a2\u4fc2\u306a\u304f\u8a8d\u8a3c\u304c\u6709\u52b9\u306b\u306a\u308a\u3001\u78ba\u8a8d\u7528\u306e\u76e3\u67fb\u30ed\u30b0\u304c\u4f5c\u6210\u3055\u308c\u307e\u3057\u305f)\u3002<\/li>\n<li>\u65b0\u3057\u3044 PAC \u7f72\u540d\u306a\u3057\u3067\u53d7\u4fe1\u30b5\u30fc\u30d3\u30b9 \u30c1\u30b1\u30c3\u30c8\u306e\u8a8d\u8a3c\u3092\u62d2\u5426\u3057\u307e\u3059\u3002<\/li>\n<\/ul>\n<div>  <\/div>\n<div><b>\u3053\u308c\u304c\u7d44\u7e54\u306b\u4e0e\u3048\u308b\u5f71\u97ff:<\/b><\/div>\n<div>2022 \u5e74 11 \u6708 8 \u65e5\u306e\u66f4\u65b0\u30d7\u30ed\u30b0\u30e9\u30e0\u306e\u30bb\u30ad\u30e5\u30ea\u30c6\u30a3\u6a5f\u80fd\u306f\u3001\u5f53\u521d\u306f\u9650\u5b9a\u7684\u306a\u9069\u7528\u3067\u30ea\u30ea\u30fc\u30b9\u3055\u308c\u3001\u30bb\u30ad\u30e5\u30ea\u30c6\u30a3\u5f37\u5316\u8981\u4ef6\u3092\u624b\u52d5\u3067\u6709\u52b9\u307e\u305f\u306f\u7121\u52b9\u306b\u3059\u308b\u6a5f\u80fd\u3092\u63d0\u4f9b\u3057\u307e\u3057\u305f\u3002\u3053\u308c\u306f\u3001\u6700\u7d42\u7684\u306b\u3059\u3079\u3066\u306e\u8981\u4ef6\u304c\u6e80\u305f\u3055\u308c\u3001\u5b8c\u5168\u306a\u9069\u7528\u304c\u6709\u52b9\u306b\u306a\u308b\u307e\u3067\u3001\u7ba1\u7406\u8005\u304c\u74b0\u5883\u306b\u5fc5\u8981\u306a\u5909\u66f4\u3092\u52a0\u3048\u308b\u6642\u9593\u3092\u78ba\u4fdd\u3059\u308b\u3053\u3068\u3092\u76ee\u7684\u3068\u3057\u3066\u3044\u307e\u3057\u305f\u30022022 \u5e74 11 \u6708\u306e\u30ea\u30ea\u30fc\u30b9\u304b\u3089\u6570\u304b\u6708\u3067\u3001\u8981\u4ef6\u306f\u5f90\u3005\u306b\u5897\u52a0\u3057\u3066\u3044\u307e\u3059\u30022023 \u5e74 10 \u6708 10 \u65e5\u306e\u30ea\u30ea\u30fc\u30b9\u306f\u3001\u3053\u308c\u3089\u306e\u30bb\u30ad\u30e5\u30ea\u30c6\u30a3\u5f37\u5316\u5bfe\u7b56\u306e\u6700\u7d42\u30d5\u30a7\u30fc\u30ba\u3067\u3042\u308a\u3001\u30bb\u30ad\u30e5\u30ea\u30c6\u30a3\u5f37\u5316\u3092\u624b\u52d5\u3067\u7121\u52b9\u306b\u3059\u308b\u6a5f\u80fd\u3092\u524a\u9664\u3057\u307e\u3059\u3002<\/div>\n<div>  <\/div>\n<div>\u5fc5\u8981\u306b\u5fdc\u3058\u3066\u5f37\u5316\u306e\u5909\u66f4\u3092\u63a1\u7528\u3059\u308b\u305f\u3081\u306e\u30a2\u30af\u30b7\u30e7\u30f3\u3092\u5b9f\u884c\u3057\u3066\u3044\u306a\u3044\u7d44\u7e54\u306f\u3001\u3053\u306e 10 \u6708\u306e\u66f4\u65b0\u5f8c\u306b\u30d3\u30b8\u30cd\u30b9\u304c\u4e2d\u65ad\u3055\u308c\u308b\u30ea\u30b9\u30af\u304c\u3042\u308a\u307e\u3059\u3002\u7ba1\u7406\u8005\u306f\u3001\u3067\u304d\u308b\u3060\u3051\u65e9\u304f\u30a2\u30af\u30b7\u30e7\u30f3\u3092\u5b9f\u884c\u3057\u3001\u5fc5\u8981\u306a\u5909\u66f4\u3092\u63a1\u7528\u3059\u308b\u3053\u3068\u3092\u304a\u52e7\u3081\u3057\u307e\u3059\u3002<\/div>\n<div>  <\/div>\n<div><b>\u6e96\u5099\u3059\u308b\u305f\u3081\u306b\u5fc5\u8981\u306a\u3053\u3068:<\/b><\/div>\n<div>2022 \u5e74 11 \u6708 8 \u65e5\u4ee5\u964d\u306b\u30ea\u30ea\u30fc\u30b9\u3055\u308c\u305f Windows \u66f4\u65b0\u30d7\u30ed\u30b0\u30e9\u30e0\u3067 Windows \u30c9\u30e1\u30a4\u30f3 \u30b3\u30f3\u30c8\u30ed\u30fc\u30e9\u30fc\u3092\u66f4\u65b0\u3057\u307e\u3059\u3002\u4ee5\u4e0b\u306e\u300c\u8ffd\u52a0\u60c5\u5831\u300d\u30bb\u30af\u30b7\u30e7\u30f3\u306e KB \u30a8\u30f3\u30c8\u30ea\u3092\u78ba\u8a8d\u3057\u3066\u3001\u74b0\u5883\u3067\u3053\u308c\u3089\u306e\u30bb\u30ad\u30e5\u30ea\u30c6\u30a3\u8981\u4ef6\u3092\u69cb\u6210\u3059\u308b\u305f\u3081\u306b\u4f7f\u7528\u3067\u304d\u308b\u30aa\u30d7\u30b7\u30e7\u30f3\u3092\u7406\u89e3\u3059\u308b\u3053\u3068\u304c\u91cd\u8981\u3067\u3059\u3002<\/div>\n<div>  <\/div>\n<div><b>\u8ffd\u52a0\u60c5\u5831:<\/b><\/div>\n<ul>\n<li><a href=\"https:\/\/support.microsoft.com\/topic\/kb5020805-how-to-manage-kerberos-protocol-changes-related-to-cve-2022-37967-997e9acc-67c5-48e1-8d0d-190269bf4efb\" rel=\"noopener noreferrer\" target=\"_blank\">KB5020805: CVE-2022-37967 \u306b\u95a2\u9023\u3059\u308b Kerberos \u30d7\u30ed\u30c8\u30b3\u30eb\u306e\u5909\u66f4\u3092\u7ba1\u7406\u3059\u308b\u65b9\u6cd5<\/a><\/li>\n<\/ul>\n<\/td>\n<\/tr>\n<\/tbody>\n<\/table><\/div>\n<\/div>\n","protected":false},"excerpt":{"rendered":"<p>MC674685 | Reminder: Security hardening changes for Netlogon and Kerberos effective October 10, 2023 Classific [&hellip;]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[1],"tags":[],"class_list":["post-3156","post","type-post","status-publish","format-standard","hentry","category-uncategorized"],"_links":{"self":[{"href":"https:\/\/m365jp.net\/index.php\/wp-json\/wp\/v2\/posts\/3156","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/m365jp.net\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/m365jp.net\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/m365jp.net\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/m365jp.net\/index.php\/wp-json\/wp\/v2\/comments?post=3156"}],"version-history":[{"count":0,"href":"https:\/\/m365jp.net\/index.php\/wp-json\/wp\/v2\/posts\/3156\/revisions"}],"wp:attachment":[{"href":"https:\/\/m365jp.net\/index.php\/wp-json\/wp\/v2\/media?parent=3156"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/m365jp.net\/index.php\/wp-json\/wp\/v2\/categories?post=3156"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/m365jp.net\/index.php\/wp-json\/wp\/v2\/tags?post=3156"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}