We are entering phase 3 of the Windows Server DC hardening

by Alexandru Poloboc

Alexandru Poloboc

With an overpowering desire to always get to the bottom of things and uncover the truth, Alex spent most of his time working as a news reporter, anchor,… read more

  • A Kerberos security flaw triggered an immediate response from Microsoft.
  • The company initialized a phased deployment for Server DC Hardening.
  • We are getting the third security update on Patch Tuesday on April 11, 2022.

dc hardening

Microsoft has issued another reminder today, regarding domain controller (DC) hardening due to a Kerberos security flaw.

As we’re sure you remember, back in November, on the second Tuesday of the month, Microsoft released its Patch Tuesday update.

The one for servers, which was KB5019081, addressed a Windows Kerberos elevation of privilege vulnerability.

This flaw actually allowed threat actors to alter Privilege Attribute Certificate (PAC) signatures, tracked under ID CVE-2022-37967.

Back then, Microsoft recommended deploying the update to all Windows devices including domain controllers.

Kerberos security flaw triggers Windows Server DC hardening

To help with deployment, the Redmond-based tech giant published guidance, sharing some of the most important aspects.

The November 8, 2022, Windows updates address security bypass and elevation of privilege vulnerabilities with Privilege Attribute Certificate (PAC) signatures.

In fact, this security update addresses Kerberos vulnerabilities where an attacker could digitally alter PAC signatures, raising their privileges.

In order to further help secure your environment, install this Windows update on all devices, including Windows domain controllers.

Please keep in mind that Microsoft actually released this update in a phased manner, just as it first mentioned it would.

The first deployment was in November, the second one was just over a month later. Now, fast forward to today, Microsoft has published this reminder as the third deployment phase is almost here as they will be released in next month’s Patch Tuesday on April 11, 2022.

Today, the tech giant reminded us that each phase raises the default minimum for the security hardening changes for CVE-2022-37967 and your environment must be compliant before installing updates for each phase onto your Domain Controller.

If you are disabling PAC signature addition by setting the KrbtgtFullPacSignature subkey to a value of 0, you will no longer be able to use this workaround after installing updates released April 11, 2023.

Both the apps and environment will need to at least be compliant with KrbtgtFullPacSignature subkey to a value of 1 to install these updates on your Domain Controllers.

If you are not using any workaround for issues related to CVE-2022-37967 security hardening, you might still need to address issues in your environment for the coming phases.

With that being said, please remember that we also shared available information on the DCOM Hardening for various Windows OS versions, including servers.

Feel free to share any information you have, or ask any question you want to ask us, in the dedicated comments section located below.

More Reading

Post navigation

Leave a Comment

Leave a Reply

Your email address will not be published. Required fields are marked *