Windows Server 2022-based AD FS Servers may be vulnerable to Remote Code Execution (CVE-2023-23392)

Windows Vulnerability

This week, on its Patch Tuesday for March 2023, Microsoft released a patch that addresses a highly critical vulnerability (CVE-2023-23392) in the HTTP Protocol Stack.


About the vulnerability

CVE-2023-23392 details a remote code execution vulnerability that can be used to attack AD FS servers over the internet. An unauthenticated attacker could send a specially crafted packet to a targeted server utilizing the HTTP Protocol Stack (http.sys) to process packets and run malicious code on these hosts.

Affected Operating systems and configurations

When HTTP/3 and buffered I/O are enabled on the AD FS Servers and/or Web Application Proxy servers, the hosts are vulnerable. As HTTP/3 was introduced with Windows Server 2022, only Windows Server installations running this Operating System and configured with HTTP/3 are vulnerable.

HTTP/3 is not enabled by default in Windows Server 2022 and needs to be enabled using the EnableHttp3 registry key, manually.


Common Vulnerability Scoring

This vulnerability's attack complexity is rated low. Microsoft assigned a CVSSv3 score of 9.8/8.5.


Call to action

I urge you to disable HTTP/3 on Windows Server 2022 installations, acting as Active Directory Federation Services (AD FS) servers and Web Application Proxy servers, in a test environment as soon as possible, assess the risk and possible impact on your production environment and then, roll out this configuration update to Windows Server 2022 installations, acting as Active Directory Federation Services (AD FS) servers and Web Application Proxy servers, in the production environment.

Disable HTTP/3 using the following lines of Windows PowerShell:

Remove-ItemProperty -Path "HKLM\SYSTEM\CurrentControlSet\services\HTTP\Parameters\" -Name EnableHttp3 -Force



The Windows Server installation will reboot.

When HTTP/3 was enabled on Windows Server hosts, determine the source of the configuration change. If it was set through an automated process, you may need to perform additional configuration changes to prevent the registry key from being applied in the future.


Pro Tip! Use YubiStyle Covers instead of writing the userPrincipalName or Domain Name on your YubiKeys


Windows Hello for Business Security Keys are Microsoft’s name to FIDO2-based security keys, when you use them with Windows Hello for Business on a Windows 10-based device.

Fido Alliance LogoAs the FIDO alliance strives to develop and promote authentication standards, FIDO2-based security keys work in many passwordless scenarios.

Yubico, one of the founding members of the FIDO Alliance, offers great Windows Hello for Business security keys with many options: YubiKeys. YubiKeys are designed and made to be resilient. However, sometimes, you may encounter a key from a bad batch (like with the early YubiKeys Bio) or you might just put a little too much strain on one. In that case, you might be wondering if the YubiKey is still alive.

As in the old days with smart cards, it's unwise to write any identifying information on YubiKeys, too. However, as one YubiKey can serve many accounts, the challenge is not as big as it used to be. Today, when an organization has applied the Active Directory Tiered Admin model in their production, acceptance, test and development environments, all the credentials can be stored on a single YubiKey, while smartcards were typically limited to four accounts and admins had to carry around four smart cards. Vanilla smart cards can be hard to distinguish, so typically something was written on them. It's not the brightest idea to tag a userPrincipalName or domain name on a smart card, but it happened.

As we typically distribute two YubiKeys per break-glass account to our customers, we needed a way to distuingish between those keys and the typical YubiKeys that admins at these organizations carry. In the heat of the moment, during incident response, you don't want people breathing down your neck to correctly enter a 128-character password at the first try. You don't want to fumble with YubiKeys either.


YubiStyle Covers

To avoid not being able to distinguish between YubiKeys, we use YubiStyle Covers.

YubiStyle Covers

Organizations can purchase these covers at an incredible premium at Yubico resellers, but typically buying one or two makes it easy to have them duplicated at your favorite sticker partner.

The original YubiStyle covers are printed on premium 3M paper and their print doesn't tend to fade over time due to UV exposure. This is typically not something we worry about for YubiKeys that we store in vaults for the emergency access accounts.


Pro Tip! Use YubiStyle Covers

Instead of writing any information on YubiKeys, use the YubiStyle Cover stickers.


Join us for the GET-IT Identity Management and Privileged Access Management Conference on March 30, 2023

GET-IT Conference 2023

A few weeks ago, I was invited as a speaker for’s GET-IT Identity Management and Privileged Access Management 1-Day Virtual Conference on March 30th, 2023.


About the GET-IT Identity Management and Privileged Access Management Conference

GET-IT Conferences are 1-day virtual events, organized by The upcoming GET-IT Conference has Identity Management and Privileged Access Management as its topics.

Identity management is key to implementing zero-trust, a security model that protects data regardless of where it is located by blocking all access until a series of conditions are met.

In this 1-day virtual conference, industry experts and MVPs will be looking at solutions to some of the most common problems IT organizations face with identity management and privileged access management (PAM). As organizations understand the importance of restricting administrator access to endpoints and servers, PAM is being more widely deployed as a critical component of any defense-in-depth security strategy.


About my session

After the conference introduction by Paul Thurrot and Russel Smith, I’ll present a 60-minute session on:

Setting up Windows Hello for Business and Seamless Single Sign-on (SSO)

Thursday March 30, 2023, 11AM EST – 12PM EST

As weak, stolen and cracked passwords are at the root of 80% of cybersecurity incidents, Passwordless has the potential to change the world. Under the covers, Windows Hello for Business, Microsoft's Passwordless solution, has already changed the authentication paradigm for Active Directory. Regardless of the device being domain-joined, hybrid Azure AD-joined or Azure AD-joined, you can access organizational resources without specifying credentials using single sign-on, both on-premises and in the cloud.

In this session, Sander Berkouwer explains how Windows Hello works in all three scenarios and what you need to get access going seamlessly within your organization!

I’ll present from 11AM to 11:45 AM (45 minutes), and I’ll open up for Q&A between 11:45 AM and 12 PM (15 minutes) to answer all questions you might have on this topic.


Join me!

Register for the GET-IT Identity Management and Privileged Access Management Conference here.


I'm co-presenting a webinar with Netwrix and IT GRC Forum


I’m proud to announce that I will be co-presenting a webinar with Netwrix’ Anthony Moillic on Thursday March 30th, 2023 at 7PM CET (UTC+1) for the IT GRC Forum on preventing attacks against Active Directory using Entra and Netwrix technologies.


About the webinar

Active Directory controls access to critical systems and data for organizations around the world, but it is not always managed securely. That makes it a top target of attackers.

How can you best protect your organizations from these attacks? And when they happen, how can you detect them promptly and respond effectively?

Learn from the experts how you can secure your Active Directory from end to end and gain peace of mind. Together with Anthony Moillic (Solutions Engineering EMEA & APAC at Netwrix), I'll explain how you can:

  • Identify and mitigate AD security risks before attackers can exploit them.
  • Promptly detect and contain active threats.
  • Quickly recover from incidents to ensure business continuity.


Join us!

Join us for this 75-minute webinar to become the Active Directory security hero your organization needs! Register here.

These webinars are offered free of charge, thanks to the sponsoring by Netwrix and IT GRC Forum. By signing up for these webinars you agree to Netwrix' privacy policy and the privacy policy of the registration partner (BrightTALK).


About Netwrix

Netwrix logoNetwrix empowers information security and governance professionals to reclaim control over sensitive, regulated and business-critical data, regardless of where it resides.

Over 10,000 organizations worldwide rely on Netwrix solutions to secure sensitive data, realize the full business value of enterprise content, pass compliance audits with less effort and expense, and increase the productivity of IT teams and knowledge workers. Founded in 2006, Netwrix has earned more than 150 industry awards and been named to both the Inc. 5000 and Deloitte Technology Fast 500 lists of the fastest growing companies in the U.S.


What's New in Azure Active Directory for February 2023

Azure Active Directory

Azure Active Directory is Microsoft's Identity Management-as-a-Service solution, offering seamless access, easy collaboration, efficiency in IT processes and improved security and compliance. In its Release Notes for Azure Active Directory and through the Microsoft 365 Message Center, Microsoft communicated the following planned, new and changed functionality for Azure Active Directory for February 2023:


What's Planned

New My Groups Experience Public Preview

Service category: My groups
Product capability: End User Experiences

Microsoft will be replacing the existing My Groups experience with the new and improved My Groups in mid-May 2023.

My Groups enables end users to easily manage groups, such as finding groups to join, managing groups they own, and managing existing group memberships. Based on customer feedback, Microsoft added:

  • sorting and filtering on lists of groups and group members,
  • a full list of group members in large groups, and
  • an actionable overview page for membership requests.

In May, users will no longer be able to access the existing My Groups and will need to adjust to the new experience. Today, end users can get the richer benefits of the new My Groups by proactively switching. Navigation between the old and new experiences is available via notification banners on each site. In May, the old experience will be retired. The previous URL ( will redirect users to the new experience at


System-preferred Multi-factor Authentication Public Preview

Service category: Multi-factor Authentication
Product capability: Identity Security and Protection

Today, various authentication methods are employed by users to provide varying levels of security. Depending on the situation, certain methods may be more secure than others, so it is important to have a range of options available to ensure the right level of security is provided.

The solution for this challenge from Microsoft is System-preferred authentication for MFA. With this setting enabled, the authentication platform evaluates at runtime which is the most secure method for the user of the methods the user has registered. This helps organizations move away from the erstwhile concept of the user selecting a default method and always being prompted for that method first, even when more secure methods are registered and available.


What's New

Follow Azure AD best practices with recommendations General Availability

Service category: Reporting
Product capability: Monitoring & Reporting

Azure AD recommendations help organizations improve the Azure AD tenant posture by surfacing opportunities to implement best practices. On a daily basis, Azure AD analyzes the configuration of the tenant. During this analysis, Azure AD compares the data of a recommendation with the actual configuration of the tenant. If a recommendation is flagged as applicable to the Azure AD tenant, the recommendation appears in the Recommendations tab on the Azure AD Overview pane.

This release includes the first 3 Azure AD recommendations:

  • Convert from per-user MFA to Conditional Access MFA
  • Migration applications from AD FS to AAD
  • Minimize MFA prompts from known devices


Expanding Privileged Identity Management Role Activation across the Azure portal General Availability

Service category: Privileged Identity Management
Product capability: Privileged Identity Management

Azure AD Privileged Identity Management (PIM) role activation has been expanded to the Billing and AD extensions in the Azure portal. Shortcuts have been added to Subscriptions (billing) and Access Control (IAM) (AD) to allow users to activate PIM roles directly from these blades.

From the Subscriptions blade, select View eligible subscriptions in the horizontal command menu to check eligible, active, and expired assignments. From there, admins can activate an eligible assignment in the same pane. In Access control (IAM) for a resource, admins can now select View my access to see currently active and eligible role assignments and activate directly. By integrating PIM capabilities into different Azure portal blades, this new feature allows admins to gain temporary access to view or edit subscriptions and resources more easily.


Conditional Access for Privileged Identity Management Public Preview

Service category: Privileged Identity Management
Product capability: Privileged Identity Management

Now admins can require delegated admins who are eligible for a role in Azure AD Privileged Identity Management (PIM) to satisfy Conditional Access policy requirements for activation:

  • Use a specific authentication method enforced through Authentication Strengths
  • Activate from Intune compliant device
  • Comply with Terms of Use
  • Use 3rd party MFA and satisfy location requirements


Service category: App Provisioning
Product capability: 3rd Party Integration

Microsoft has added the following new applications in the Azure AD App gallery with Provisioning support. Organizations can now automate creating, updating, and deleting of user accounts for these newly integrated apps:


Service category: Enterprise Apps
Product capability: 3rd Party Integration

Microsoft has added the following new applications in the Azure AD App gallery with Federation support:

  2. Tanium Cloud SSO
  3. LeanDNA
  4. CalendarAnything LWC
  6. Udemy Business SAML
  7. Canva
  8. Kno2fy
  9. IT-Conductor
  10. ナレッジワーク(Knowledge Work)
  11. Valotalive Digital Signage Microsoft 365 integration
  12. Priority Matrix HIPAA
  13. Priority Matrix Government
  14. Beable
  15. Grain
  16. DojoNavi
  17. Global Validity Access Manager
  18. FieldEquip
  19. Peoplevine
  20. Respondent
  21. WebTMA
  22. ClearIP
  23. Pennylane
  24. VsimpleSSO
  25. Compliance Genie
  26. Dataminr Corporate
  27. Talon


What's Changed

More information on why a sign-in was flagged as unfamiliar General Availability

Service category: Identity Protection
Product capability: Identity Security & Protection

Unfamiliar sign-in properties risk detection now provides risk reasons as to which properties are unfamiliar for organizations to better investigate that risk. Azure AD Identity Protection now surfaces the unfamiliar properties in the Azure portal, the Entra Poral and through the Microsoft Graph API as Additional Info with a user-friendly description explaining that the following properties are unfamiliar for this sign-in of the given user.

There is no additional work to enable this feature, the unfamiliar properties will be shown by default.


Join us for a Webinar on the Importance of Active Directory Monitoring

Webinar: The Importance of Active Directory Monitoring

On Tuesday March 21st, 2023, I will be presenting a free 60-minute webinar on Active Directory, together with Jay Gundotra of ENow fame.


About this webinar

In case you've forgotten; Active Directory is Microsoft's on-premises Identity management solution. Most large organization use it as their primary Identity and Access Management (IAM) solution and then synchronize objects to Azure AD from there. Other organizations still keep Active Directory around to facilitate legacy systems that depend on legacy identity protocols like LDAP and NTLM.

Together with Jay, I'll look at monitoring Active Directory’s vitals, but also your Domain Controllers’ DNS and NTP. There is a difference between Active Directory monitoring and Domain Controller monitoring. Domain Controllers are not mere nodes offering the ‘Active Directory’ application. There are files, registry settings and services that are critical to the way Active Directory is hosted on Domain Controllers. There are also differences between monitoring and reporting. Beyond the ability to select and filter, reporting is also capable of providing insights in Active Directory trends over longer periods of time.

With ENow Active Directory Monitoring and Reporting, you get all the functionality that Jay and I talk about in this session. Get ready to learn the intricacies of monitoring all aspects of Active Directory. Expect to have your socks blown off by the insights offered by its reports. Most of all, learn how to do Active Directory right so it doesn’t become a liability to your organization.

About Jay Gundotra

Jay is the CEO at ENow. As Technical Founder and CEO, Jay is responsible for setting the global strategic direction of the organization. A customer-centric business executive, he is committed to ENow’s core values – Grow or Die, Keep Your Word, Be Relentless, and Over-deliver – to help drive a growth mindset culture, create greater impact, and build superior client experiences. Well-respected within the Microsoft MVP community, Jay’s extensive 20+ years of experience in Unified Communications, network management, and cloud computing is the driving force behind ENow’s continued growth and success in delivering effective monitoring and analytics software to clients worldwide.


Join us!

Join us on Tuesday March 21st, 2023 from 6:30PM to 7:30 PM CET (GMT+1). Register here for free.

The webinar will be delivered in English through Microsoft Teams.


About ENow

This webinar is sponsored by ENow.

ENow is an Independent Software Vendor (ISV) focused on helping organizations implement the latest Microsoft technologies and building software tools that simplify the job of IT administrators.

By registering for this masterclass, you submit your information to ENow, who will use it to communicate with you regarding this event and their other services.


On-premises Identity-related updates and fixes for February 2023

Windows Serrer

Even though Microsoft’s Identity focus moves towards the cloud, Windows Server 2016, Windows Server 2019 and Windows Server 2022 still receive updates to improve the experiences and security of Microsoft’s on-premises powerhouses.

This is the list of Identity-related updates and fixes we saw for February 2023:


Windows Server 2016

We observed the following update for Windows Server 2016:

KB5022838 February 14, 2023

The February 14, 2023, update for Windows Server 2016 (KB5022838), updating the OS build number to 14393.5717, is a monthly cumulative update that includes an Identity-related improvement: It addresses an issue that puts Domain Controllers in a restart loop. This occurs because the Local Security Authority Subsystem Service (LSASS) stops responding. The error is 0xc0000374. LSASS stops responding if you populate the KrbTGT account with the AltsecID on accounts that Domain Controllers and Read-only Domain Controllers use.


Windows Server 2019

We observed the following updates for Windows Server 2019:

KB5022840 February 14, 2023

The February 14, 2023, update for Windows Server 2019 (KB5022840), updating the OS build number to 17763.4010, is a monthly cumulative update that includes the following Identity-related improvements:

  • It  addresses an issue that affects local Kerberos authentication. It fails if the local Key Distribution Center (KDC) service is not active.
  • It addresses an issue that affects Windows Server 2022. Phone activation of a Key Management Services (KMS) key does not work.
  • It improves the replication performance of Active Directory in large environments.


Windows Server 2022

We observed the following updates for Windows Server 2022:

KB5022842 February 14, 2023

The February 14, 2023, update for Windows Server 2022 (KB5022842), updating the OS build number to 202348.1547, is a monthly cumulative update that includes the following Identity-related improvements:

  • It addresses an issue that affects local Kerberos authentication. It fails if the local Key Distribution Center (KDC) service is not active.
  • It addresses an issue that affects the Domain Name System (DNS) suffix search list. When you configure it, the parent domain might be missing.
  • It addresses an issue that affects Active Directory Federation Service (AD FS). The issue fails to apply the RequirePDC flag setting of false.

What's New in Microsoft Defender for Identity in February 2023

Microsoft Defender for Identity

Microsoft Defender for Identity helps Active Directory admins defend against advanced persistent threats (APTs) targeting their Active Directory Domain Services infrastructures.

It is a cloud-based service, where agents on Domain Controllers provide signals to Microsoft's Machine Learning (ML) algorithms to detect and report on attacks. Its dashboard allows Active Directory admins to investigate and remediate (potential) breaches related to advanced threats, compromised identities and malicious insider actions.

Microsoft Defender for Identity was formerly known as Azure Advanced Threat Protection (Azure ATP) and Advanced Threat Analytics (ATA).


What's New

In February 2023, one new version of Microsoft Defender for Identity was released: Version 2.198. This version was released on February 15, 2023. This release introduced the following functionality:


Identity timeline

The updated User page in the Microsoft 365 Defender portal now has a new look and feel, with an expanded view of related assets and a new dedicated timeline tab. The timeline represents activities and alerts from the last 30 days, and it unifies the user’s identity entries across all available solutions: Defender for Identity, Defender for Cloud Apps and Defender for Endpoint. By using the timeline, admins can easily focus on activities that the user performed (or were performed on them), in specific timeframes.


Improvements to honeytoken alerts

In Defender for Identity v2.191, Microsoft introduced several new scenarios to the honeytoken activity alert. Based on customer feedback, Microsoft has decided to split the honeytoken activity alert into five separate alerts:

  1. Honeytoken user was queried via SAM-R.
  2. Honeytoken user was queried via LDAP.
  3. Honeytoken user authentication activity
  4. Honeytoken user had attributes modified.
  5. Honeytoken group membership changed.

Additionally, Microsoft has added exclusions for these alerts, providing a customized experience for your organization's environment.


Suspicious certificate usage over Kerberos protocol (PKINIT) alert

Microsoft introduced a new security alert: Suspicious certificate usage over Kerberos protocol (PKINIT). Many of the techniques for abusing Active Directory Certificate Services (AD CS) involve the use of a certificate in some phase of the attack. Moving forward, Microsoft Defender for Identity will alert admins when it observes such suspicious certificate usage. This behavioral monitoring approach will provide comprehensive protection against AD CS attacks, triggering an alert when a suspicious certificate authentication is attempted against a Domain Controller with a Defender for Identity sensor installed.


Automatic attack disruption

Defender for Identity now works together with Microsoft 365 Defender to offer Automated Attack Disruption. This means that, for signals coming from Microsoft 365 Defender, Defender for Identity can trigger the Disable User action. These actions are triggered by high-fidelity XDR signals, combined with insights from the continuous investigation of thousands of incidents by Microsoft’s research teams. The action suspends the compromised user account in Active Directory and syncs this information to Azure AD.

Specific users can be excluded from the automated response actions.


Remove learning period

The alerts generated by Defender for Identity are based on various factors such as profiling, deterministic detection, machine learning, and behavioral algorithms that it has learned about your organization's network. The full learning process for Defender for Identity can take up to 30 days per Domain Controller. However, there may be instances where admins would like to receive alerts even before the full learning process has been completed. In such cases, admins can turn off the learning period for the affected alerts by enabling the Remove learning period feature.


New way of sending alerts to Microsoft 365 Defender

A year ago, Microsoft announced that all of Microsoft Defender for Identity experiences are available in the Microsoft 365 Defender portal. In the upcoming month, Microsoft gradually switches the primary alert pipeline from Defender for Identity > Defender for Cloud Apps > Microsoft 365 Defender to Defender for Identity > Microsoft 365 Defender. This means that status updates in Defender for Cloud Apps will not be reflected in Microsoft 365 Defender and vice versa.

This change should significantly reduce the time it takes for alerts to appear in the Microsoft 365 Defender portal. As part of this migration, all Defender for Identity policies will no longer be available in the Defender for Cloud Apps portal as of March 5. As always, Microsoft recommends using the Microsoft 365 Defender portal for all Defender for Identity experiences.


Improvements and bug fixes

Version 2.198 includes improvements and bug fixes for the internal sensor infrastructure.


Pro Tip! Don't use the Yubikey Personalization Tool. Use the Yubico Manager.


Windows Hello for Business Security Keys are Microsoft’s name to FIDO2-based security keys, when you use them with Windows Hello for Business on a Windows 10-based device.

Fido Alliance LogoAs the FIDO alliance strives to develop and promote authentication standards, FIDO2-based security keys work in many passwordless scenarios.

Yubico, one of the founding members of the FIDO Alliance, offers great Windows Hello for Business security keys with many options: YubiKeys. By default, all protocols are enabled by default. Depending on the type of YubiKey, this ranges from FIDO2 and YubiOTP to PIV.

When looking at managing Yubikeys, and disabling some of these protocols on them, there are two tools available:

  1. The YubiKey Personalization Tool
  2. The YubiKey Manager

While many (old) documentation would point out how to achieve certain tasks with regards to your YubiKeys using the YubiKey Personalization Tool, using the YubiKey Manager is the preferred way to do things.

The YubiKey Personalization Tool has a couple of drawbacks:

  • The YubiKey Personalization Tool is no longer actively maintained or improved.
  • You cannot manage Yubico Security Keys with the YubiKey Personalization Tool. The FIDO2-only Security Key is perfect for Windows Hello for Business, but it cannot be managed using the YubiKey Personalization Tool. There is not a lot to manage (obviously), but Yubico Manager’s command-line interface (ykman) does offer some granular options specifically suited to Yubico’s FIDO2-only Security Keys.


Pro Tip!

If you have the YubiKey Personalization Tool installed, uninstall it and install the YubiKey Manager instead.

Further reading

Choosing the right Passwordless sign-in method for your colleagues
HOWTO: Enable Windows Hello for Business FIDO2 Key sign-in without Intune
Why Everyone’s talking about Hybrid Cloud Trust




You're invited to the IT-University Masterclass – Securing Azure AD without Premium features, Fact or Fiction?

On Monday March 13th, 2023, I will be presenting a masterclass, together with Raymond Comvalius for IT-University.nlDutch Raymond and I will be presenting on a topic that is important for many organizations who are looking to do more with less. Specifically: less Premium licenses.

It seems like you can only have security in Azure AD when you focus on Azure AD Premium, Premium P2 and Defender for Identity, as part of the Microsoft 365 E5 suite… Without them, it seems that information security risks cannot be adequately mitigated. Raymond Comvalius and Sander Berkouwer feel that that's not true: the road to Zero trust is perfectly passable without these costly licenses. It all starts with a couple of fundamental premises and settings that result in an adequately secured Azure AD, (and Azure and Microsoft 365 environment in its wake) without the need for premium licenses.

In this masterclass, Raymond and I cover the basic and default security measures in Azure AD, based on what we actually encounter at our customers. For most organizations, this real-world information offers a great start with securing Azure AD, get to a secure Azure AD tenant from the get-go and has their admins dodge the common pitfalls


Mark your calendar!

Join us for a session that no organization looking at Azure AD can afford to miss!

Mark your calendar for Monday March 13th, 2023 between 8 PM and 10 PM CET for this free webinar. Register here.

The webinar will be delivered in Dutch through Microsoft Teams.


About IT-University

This webinar is sponsored by
IT-University is a Dutch educational organization, specialized in  IT courses following the new world of learning. IT-University offers an Online Academy, webinars and masterclasses.

By registering for this masterclass, you submit your information to IT-University, who will use it to communicate with you regarding this event and their other services.