{"id":3564,"date":"2023-10-11T02:01:00","date_gmt":"2023-10-10T17:01:00","guid":{"rendered":"https:\/\/m365jp.xyz\/?p=3564"},"modified":"2023-10-11T02:13:02","modified_gmt":"2023-10-10T17:13:02","slug":"mc680542-security-hardening-changes-for-kerberos-effective-with-the-october-10-2023-windows-update","status":"publish","type":"post","link":"https:\/\/m365jp.net\/index.php\/2023-10-11-mc680542-security-hardening-changes-for-kerberos-effective-with-the-october-10-2023-windows-update","title":{"rendered":"MC680542 | Security hardening changes for Kerberos effective with the October 10, 2023 Windows Update"},"content":{"rendered":"<div class=\"postie-post\">\n<div>\n<hr>\n<table id=\"section\">\n<tbody>\n<tr>\n<th width=\"95%\">MC680542 | Security hardening changes for Kerberos effective with the October 10, 2023 Windows Update<\/th>\n<\/tr>\n<\/tbody>\n<\/table>\n<hr>\n<table id=\"data\">\n<tbody>\n<tr>\n<th>Classification<\/th>\n<td>preventOrFixIssue<\/td>\n<\/tr>\n<tr>\n<th>Last Updated<\/th>\n<td>10\/10\/2023 16:57:46<\/td>\n<\/tr>\n<tr>\n<th>Start Time<\/th>\n<td>10\/10\/2023 16:57:44<\/td>\n<\/tr>\n<tr>\n<th>End Time<\/th>\n<td>10\/10\/2024 16:57:44<\/td>\n<\/tr>\n<tr>\n<th>Message Content<\/th>\n<td>\n<div>Windows updates released today, October 10, 2023, and later, conclude the rollout of security enforcement to protect Windows Server domain controllers (DC) against a Kerberos security bypass vulnerability. This vulnerability also involves an elevation   of privilege scenario and alteration of Privilege Attribute Certificate (PAC) signatures. All domain-joined, machine accounts are affected by these vulnerabilities.<\/div>\n<div>  <\/div>\n<div>These changes have been gradually enforced through a series of phases, beginning with Windows updates released November 8, 2022. For details on configuring these security requirements in your environment see  <a href=\"https:\/\/support.microsoft.com\/topic\/kb5020805-how-to-manage-kerberos-protocol-changes-related-to-cve-2022-37967-997e9acc-67c5-48e1-8d0d-190269bf4efb\" rel=\"noopener noreferrer\" target=\"_blank\">  KB5020805: How to manage Kerberos protocol changes related to CVE-2022-37967<\/a>.<\/div>\n<div>  <\/div>\n<div><b>When will this happen<\/b>:<\/div>\n<div>As previously announced, Windows updates released on and after October 10, 2023 will have the following effect:<\/div>\n<div>  <\/div>\n<ul>\n<li>Remove the ability to disable PAC signature addition (previously done via the registry subkey KrbtgtFullPacSignature)<\/li>\n<li>Remove support for Audit mode (this enabled authentication whether PAC signatures were missing or invalid, and created audit logs for review).<\/li>\n<li>Deny authentication to incoming service tickets without the new PAC signatures.<\/li>\n<\/ul>\n<div>  <\/div>\n<div><b>How this will affect your organization:<\/b><\/div>\n<div>The security features in Windows updates released November 8, 2022 and later, provided the ability to manually enable and disable security hardening requirements. This limited enforcement was intended to allow administrators time to make any necessary   changes in their environments, until full enforcement can be enabled once all requirements are met. In the months since that November 2022 release, security requirements have gradually increased. Windows updates released October 10, 2023 or later will contain   the final phase of the rollout for these security hardening measured, which no longer provides options to disable security hardening.<\/div>\n<div>  <\/div>\n<div>Organizations which have not adopted the hardening changes as necessary might be at risk of business disruption after installing Windows update released October 10, 2023 or later. Administrators are encouraged to take action as soon as possible.<\/div>\n<div>  <\/div>\n<div><b>What you need to do to prepare:<\/b><\/div>\n<div>Update your Windows domain controllers with a Windows update released on or after November 8, 2022. It&#8217;s critical to review the KB entries in the Additional information section, below, to understand the options available for configuring these security   requirements in your environment.<\/div>\n<div>  <\/div>\n<div><b>Additional information:<\/b><\/div>\n<ul>\n<li><a href=\"https:\/\/support.microsoft.com\/topic\/kb5020805-how-to-manage-kerberos-protocol-changes-related-to-cve-2022-37967-997e9acc-67c5-48e1-8d0d-190269bf4efb\" rel=\"noopener noreferrer\" target=\"_blank\">KB5020805: How to manage Kerberos protocol changes related   to CVE-2022-37967<\/a><\/li>\n<\/ul>\n<\/td>\n<\/tr>\n<tr>\n<th>Machine Translation<\/th>\n<td>\n<div>\u672c\u65e5\u30012023 \u5e74 10 \u6708 10 \u65e5\u4ee5\u964d\u306b\u30ea\u30ea\u30fc\u30b9\u3055\u308c\u305f Windows \u66f4\u65b0\u30d7\u30ed\u30b0\u30e9\u30e0\u306f\u3001Kerberos \u30bb\u30ad\u30e5\u30ea\u30c6\u30a3 \u30d0\u30a4\u30d1\u30b9\u306e\u8106\u5f31\u6027\u304b\u3089 Windows Server \u30c9\u30e1\u30a4\u30f3 \u30b3\u30f3\u30c8\u30ed\u30fc\u30e9\u30fc (DC) \u3092\u4fdd\u8b77\u3059\u308b\u305f\u3081\u306e\u30bb\u30ad\u30e5\u30ea\u30c6\u30a3\u5f37\u5236\u306e\u30ed\u30fc\u30eb\u30a2\u30a6\u30c8\u3092\u5b8c\u4e86\u3057\u307e\u3059\u3002\u3053\u306e\u8106\u5f31\u6027\u306b\u306f\u3001\u7279\u6a29\u306e\u6607\u683c\u30b7\u30ca\u30ea\u30aa\u304a\u3088\u3073\u7279\u6a29\u5c5e\u6027\u8a3c\u660e\u66f8 (PAC) \u7f72\u540d\u306e\u5909\u66f4\u3082\u542b\u307e\u308c\u307e\u3059\u3002\u30c9\u30e1\u30a4\u30f3\u306b\u53c2\u52a0\u3057\u3066\u3044\u308b\u3059\u3079\u3066\u306e\u30de\u30b7\u30f3 \u30a2\u30ab\u30a6\u30f3\u30c8\u304c\u3001\u3053\u308c\u3089\u306e\u8106\u5f31\u6027\u306e\u5f71\u97ff\u3092\u53d7\u3051\u307e\u3059\u3002<\/div>\n<div>  <\/div>\n<div>\u3053\u308c\u3089\u306e\u5909\u66f4\u306f\u30012022 \u5e74 11 \u6708 8 \u65e5\u306b\u30ea\u30ea\u30fc\u30b9\u3055\u308c\u305f Windows \u66f4\u65b0\u30d7\u30ed\u30b0\u30e9\u30e0\u304b\u3089\u59cb\u307e\u308b\u4e00\u9023\u306e\u30d5\u30a7\u30fc\u30ba\u3092\u901a\u3058\u3066\u5f90\u3005\u306b\u9069\u7528\u3055\u308c\u3066\u3044\u307e\u3059\u3002\u74b0\u5883\u3067\u3053\u308c\u3089\u306e\u30bb\u30ad\u30e5\u30ea\u30c6\u30a3\u8981\u4ef6\u3092\u69cb\u6210\u3059\u308b\u65b9\u6cd5\u306e\u8a73\u7d30\u306b\u3064\u3044\u3066\u306f\u3001\u300c  <a href=\"https:\/\/support.microsoft.com\/topic\/kb5020805-how-to-manage-kerberos-protocol-changes-related-to-cve-2022-37967-997e9acc-67c5-48e1-8d0d-190269bf4efb\" rel=\"noopener noreferrer\" target=\"_blank\">  KB5020805: CVE-2022-37967 \u306b\u95a2\u9023\u3059\u308b Kerberos \u30d7\u30ed\u30c8\u30b3\u30eb\u306e\u5909\u66f4\u3092\u7ba1\u7406\u3059\u308b\u65b9\u6cd5\u300d\u3092\u53c2\u7167\u3057\u3066\u304f\u3060\u3055\u3044<\/a>\u3002<\/div>\n<div>  <\/div>\n<div><b>\u3053\u308c\u306f\u3044\u3064\u8d77\u3053\u308a\u307e\u3059<\/b>\u304b:<\/div>\n<div>\u4ee5\u524d\u306b\u304a\u77e5\u3089\u305b\u3057\u305f\u3088\u3046\u306b\u30012023 \u5e74 10 \u6708 10 \u65e5\u4ee5\u964d\u306b\u30ea\u30ea\u30fc\u30b9\u3055\u308c\u305f Windows \u66f4\u65b0\u30d7\u30ed\u30b0\u30e9\u30e0\u306b\u306f\u3001\u6b21\u306e\u5f71\u97ff\u304c\u3042\u308a\u307e\u3059\u3002<\/div>\n<div>  <\/div>\n<ul>\n<li>PAC \u7f72\u540d\u306e\u8ffd\u52a0\u3092\u7121\u52b9\u306b\u3059\u308b\u6a5f\u80fd\u3092\u524a\u9664\u3059\u308b (\u4ee5\u524d\u306f\u30ec\u30b8\u30b9\u30c8\u30ea \u30b5\u30d6\u30ad\u30fc KrbtgtFullPacSignature \u3092\u4f7f\u7528\u3057\u3066\u884c\u3063\u3066\u3044\u307e\u3057\u305f)<\/li>\n<li>\u76e3\u67fb\u30e2\u30fc\u30c9\u306e\u30b5\u30dd\u30fc\u30c8\u3092\u524a\u9664\u3057\u307e\u3059 (\u3053\u308c\u306b\u3088\u308a\u3001PAC \u7f72\u540d\u304c\u6b20\u843d\u3057\u3066\u3044\u308b\u304b\u7121\u52b9\u3067\u3042\u308b\u304b\u306b\u95a2\u4fc2\u306a\u304f\u8a8d\u8a3c\u304c\u6709\u52b9\u306b\u306a\u308a\u3001\u78ba\u8a8d\u7528\u306e\u76e3\u67fb\u30ed\u30b0\u304c\u4f5c\u6210\u3055\u308c\u307e\u3057\u305f)\u3002<\/li>\n<li>\u65b0\u3057\u3044 PAC \u7f72\u540d\u306a\u3057\u3067\u53d7\u4fe1\u30b5\u30fc\u30d3\u30b9 \u30c1\u30b1\u30c3\u30c8\u306e\u8a8d\u8a3c\u3092\u62d2\u5426\u3057\u307e\u3059\u3002<\/li>\n<\/ul>\n<div>  <\/div>\n<div><b>\u3053\u308c\u304c\u7d44\u7e54\u306b\u4e0e\u3048\u308b\u5f71\u97ff:<\/b><\/div>\n<div>2022 \u5e74 11 \u6708 8 \u65e5\u4ee5\u964d\u306b\u30ea\u30ea\u30fc\u30b9\u3055\u308c\u305f Windows \u66f4\u65b0\u30d7\u30ed\u30b0\u30e9\u30e0\u306e\u30bb\u30ad\u30e5\u30ea\u30c6\u30a3\u6a5f\u80fd\u3067\u306f\u3001\u30bb\u30ad\u30e5\u30ea\u30c6\u30a3\u5f37\u5316\u8981\u4ef6\u3092\u624b\u52d5\u3067\u6709\u52b9\u307e\u305f\u306f\u7121\u52b9\u306b\u3059\u308b\u6a5f\u80fd\u304c\u63d0\u4f9b\u3055\u308c\u307e\u3057\u305f\u3002\u3053\u306e\u5236\u9650\u4ed8\u304d\u9069\u7528\u306f\u3001\u3059\u3079\u3066\u306e\u8981\u4ef6\u304c\u6e80\u305f\u3055\u308c\u305f\u5f8c\u306b\u5b8c\u5168\u306a\u9069\u7528\u304c\u6709\u52b9\u306b\u306a\u308b\u307e\u3067\u3001\u7ba1\u7406\u8005\u304c\u74b0\u5883\u306b\u5fc5\u8981\u306a\u5909\u66f4\u3092\u52a0\u3048\u308b\u6642\u9593\u3092\u78ba\u4fdd\u3059\u308b\u3053\u3068\u3092\u76ee\u7684\u3068\u3057\u3066\u3044\u307e\u3057\u305f\u30022022 \u5e74 11 \u6708\u306e\u30ea\u30ea\u30fc\u30b9\u304b\u3089\u6570\u304b\u6708\u3067\u3001\u30bb\u30ad\u30e5\u30ea\u30c6\u30a3\u8981\u4ef6\u306f\u5f90\u3005\u306b\u5897\u52a0\u3057\u3066\u3044\u307e\u3059\u30022023 \u5e74 10 \u6708 10 \u65e5\u4ee5\u964d\u306b\u30ea\u30ea\u30fc\u30b9\u3055\u308c\u305f Windows \u66f4\u65b0\u30d7\u30ed\u30b0\u30e9\u30e0\u306b\u306f\u3001\u3053\u308c\u3089\u306e\u30bb\u30ad\u30e5\u30ea\u30c6\u30a3\u5f37\u5316\u6e2c\u5b9a\u306e\u30ed\u30fc\u30eb\u30a2\u30a6\u30c8\u306e\u6700\u7d42\u30d5\u30a7\u30fc\u30ba\u304c\u542b\u307e\u308c\u3001\u30bb\u30ad\u30e5\u30ea\u30c6\u30a3\u5f37\u5316\u3092\u7121\u52b9\u306b\u3059\u308b\u30aa\u30d7\u30b7\u30e7\u30f3\u306f\u63d0\u4f9b\u3055\u308c\u306a\u304f\u306a\u308a\u307e\u3059\u3002<\/div>\n<div>  <\/div>\n<div>\u5fc5\u8981\u306b\u5fdc\u3058\u3066\u5f37\u5316\u306e\u5909\u66f4\u3092\u63a1\u7528\u3057\u3066\u3044\u306a\u3044\u7d44\u7e54\u306f\u30012023 \u5e74 10 \u6708 10 \u65e5\u4ee5\u964d\u306b\u30ea\u30ea\u30fc\u30b9\u3055\u308c\u305f Windows Update \u3092\u30a4\u30f3\u30b9\u30c8\u30fc\u30eb\u3057\u305f\u5f8c\u306b\u30d3\u30b8\u30cd\u30b9\u304c\u4e2d\u65ad\u3055\u308c\u308b\u30ea\u30b9\u30af\u304c\u3042\u308a\u307e\u3059\u3002\u7ba1\u7406\u8005\u306f\u3001\u3067\u304d\u308b\u3060\u3051\u65e9\u304f\u884c\u52d5\u3092\u8d77\u3053\u3059\u3053\u3068\u3092\u304a\u52e7\u3081\u3057\u307e\u3059\u3002<\/div>\n<div>  <\/div>\n<div><b>\u6e96\u5099\u3059\u308b\u305f\u3081\u306b\u5fc5\u8981\u306a\u3053\u3068:<\/b><\/div>\n<div>2022 \u5e74 11 \u6708 8 \u65e5\u4ee5\u964d\u306b\u30ea\u30ea\u30fc\u30b9\u3055\u308c\u305f Windows \u66f4\u65b0\u30d7\u30ed\u30b0\u30e9\u30e0\u3067 Windows \u30c9\u30e1\u30a4\u30f3 \u30b3\u30f3\u30c8\u30ed\u30fc\u30e9\u30fc\u3092\u66f4\u65b0\u3057\u307e\u3059\u3002\u4ee5\u4e0b\u306e\u300c\u8ffd\u52a0\u60c5\u5831\u300d\u30bb\u30af\u30b7\u30e7\u30f3\u306e KB \u30a8\u30f3\u30c8\u30ea\u3092\u78ba\u8a8d\u3057\u3066\u3001\u74b0\u5883\u3067\u3053\u308c\u3089\u306e\u30bb\u30ad\u30e5\u30ea\u30c6\u30a3\u8981\u4ef6\u3092\u69cb\u6210\u3059\u308b\u305f\u3081\u306b\u4f7f\u7528\u3067\u304d\u308b\u30aa\u30d7\u30b7\u30e7\u30f3\u3092\u7406\u89e3\u3059\u308b\u3053\u3068\u304c\u91cd\u8981\u3067\u3059\u3002<\/div>\n<div>  <\/div>\n<div><b>\u8ffd\u52a0\u60c5\u5831:<\/b><\/div>\n<ul>\n<li><a href=\"https:\/\/support.microsoft.com\/topic\/kb5020805-how-to-manage-kerberos-protocol-changes-related-to-cve-2022-37967-997e9acc-67c5-48e1-8d0d-190269bf4efb\" rel=\"noopener noreferrer\" target=\"_blank\">KB5020805: CVE-2022-37967 \u306b\u95a2\u9023\u3059\u308b Kerberos \u30d7\u30ed\u30c8\u30b3\u30eb\u306e\u5909\u66f4\u3092\u7ba1\u7406\u3059\u308b\u65b9\u6cd5<\/a><\/li>\n<\/ul>\n<\/td>\n<\/tr>\n<\/tbody>\n<\/table><\/div>\n<\/div>\n","protected":false},"excerpt":{"rendered":"<p>MC680542 | Security hardening changes for Kerberos effective with the October 10, 2023 Windows Update Classifi [&hellip;]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[1],"tags":[],"class_list":["post-3564","post","type-post","status-publish","format-standard","hentry","category-uncategorized"],"_links":{"self":[{"href":"https:\/\/m365jp.net\/index.php\/wp-json\/wp\/v2\/posts\/3564","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/m365jp.net\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/m365jp.net\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/m365jp.net\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/m365jp.net\/index.php\/wp-json\/wp\/v2\/comments?post=3564"}],"version-history":[{"count":0,"href":"https:\/\/m365jp.net\/index.php\/wp-json\/wp\/v2\/posts\/3564\/revisions"}],"wp:attachment":[{"href":"https:\/\/m365jp.net\/index.php\/wp-json\/wp\/v2\/media?parent=3564"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/m365jp.net\/index.php\/wp-json\/wp\/v2\/categories?post=3564"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/m365jp.net\/index.php\/wp-json\/wp\/v2\/tags?post=3564"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}