Spend some Time on Properly Configuring and Monitoring your Domain Controllers this Patch Tuesday

Windows Server

This Patch Tuesday, Microsoft addressed 68 vulnerabilities. Of these vulnerabilities, three vulnerabilities are specific to Windows Server installations running as Domain Controllers. These updates are not of the ‘update and forget’ type of updates, but require some more work. So, spend some time on properly configuring your Domain Controllers, this Patch Tuesday.

The three vulnerabilities that are of importance this month are:

  1. CVE-2022-37966 Windows Kerberos RC4-HMAC Elevation of Privilege Vulnerability
  2. CVE-2022-37967 Windows Kerberos Elevation of Privilege Vulnerability
  3. CVE-2022-38023 Netlogon RPC Elevation of Privilege Vulnerability

 

Kerberos Protocol changes (CVE-2022-37966)

An unauthenticated attacker could conduct an attack that could leverage cryptographic protocol vulnerabilities in RFC4757 and MS-PAC (Privilege Attribute Certificate Data Structure specification) to bypass security features in an Active Directory environment.

The update that addresses this vulnerability (CVE-2022-37966) introduced changes to the Kerberos protocol. These changes are described in KB5021131.

Note:
The update to address this vulnerability for Windows Server 2022 Datacenter: Azure Edition (Server Core) is not hotpatchable. When running Windows Server 2022 Datacenter: Azure Edition (Server Core) as a Domain Controller, install the update for Windows Server 2022 (5019081). This update requires a computer restart.

The update sets the Advanced Encryption Standard (AES) as the default encryption type for Kerberos session keys on user objects that are not marked with a default encryption type, when the update is installed on all devices, including Domain Controllers. This corresponds with the Network Security: Configure encryption types allowed for Kerberos Group Policy setting on devices.

The following encryption types are typically available:

  1. DES_CBC_CRC
  2. DES_CBC_MD5
  3. RC4_HMAC_MD5
  4. AES128_HMAC_SHA1
  5. AES256_HMAC_SHA1

However, since Windows 7 and Windows Server 2008 R2, DES_CBC_CRC and DES_CBC_MD5 are no longer supported as supported Kerberos encryption types. With the November 2022 updates, the default supported Kerberos encryption types for session keys in the operating system no longer include RC4_HMAC_MD5.

The changes in the supported Kerberos encryption types for session keys are applied with the update.

After applying the November 2022 updates, you may encounter errors in the System log on Domain Controller with Event ID 42:

The Kerberos Key Distribution Center lacks strong keys for account:
You must update the password of this account to prevent use of insecure cryptography.
See https://go.microsoft.com/fwlink/?linkid=2210019 to learn more.

If you encounter these errors, rotate the krbtgt password using the script from Microsoft that is available to do so. The new password for krbtgt is then AES encrypted. Then, change the password for the user object(s) indicated in the event log item(s),

 

Kerberos Protocol changes (CVE-2022-37967)

An authenticated attacker could leverage cryptographic protocol vulnerabilities in Windows Kerberos. If the attacker gains control on the service that is allowed for delegation, they can modify the Kerberos PAC to elevate their privileges.

The update that addresses this vulnerability (CVE-2022-37967) introduced changes to the Kerberos protocol. These changes are described in KB5020805.

These changes are not applied with the update, but need to be manually enabled. However, the changes will be automatically enabled with the June 2023 updates.

After applying the November 2022 updates to all Domain Controllers, all Domain Controllers will have signatures added to the Kerberos PAC Buffer. However, to identify areas that either are missing PAC signatures or have PAC Signatures that fail validation through, enable Audit mode using the following line of Windows PowerShell on all Domain Controllers:

New-ItemProperty -Path "HKLM:\System\CurrentControlSet\Services\KDC" -Name KrbtgtFullPacSignature -Value 2 -PropertyType DWORD –Force

 

After enabling Audit mode, you may encounter warnings in the System log on Domain Controller with Event ID 43 with source Kdcsvc to indicate Full PAC signature failures:

The Key Distribution Center (KDC) encountered a ticket that it could not validate the full PAC Signature.
See https://go.microsoft.com/fwlink/?linkid=2210019 to learn more.

After enabling Audit mode, you may encounter warnings in the System log on Domain Controller with Event ID 44 with source Kdcsvc to indicate missing Full PAC signatures:

The Key Distribution Center (KDC) encountered a ticket that did not contained the full PAC Signature.
See https://go.microsoft.com/fwlink/?linkid=2210019 to learn more. 

Work with the vendor of any third-party Domain Controllers, devices and/or applications to remedy the situation. After remediating these situations, enable the Enforcement mode by either:

  • Removing the KrbtgtFullPacSignature registry key.
    (Effectively enabling the default setting now, Enabling Audit Mode with the December 2022 updates and enabling Enforcement Mode with the June 2023 updates)
  • setting the value for the KrbtgtFullPacSignature registry key to 3.
    (Effectively enabling the Enforcement Mode directly)

All devices will be configured to run in Audit mode with the December 2022 updates.
The ability to run in Audit mode will be disabled with the October 2023 updates.

 

Netlogon Protocol changes (CVE-2022-38023)

An authenticated attacker could leverage cryptographic protocol vulnerabilities in the Windows Netlogon protocol when RPC Signing is used instead of RPC Sealing. Where RPC Signing is used instead of RPC Sealing the attacker could gain control of the service and then might be able to modify Netlogon protocol traffic to elevate their privileges.

The update that addresses this vulnerability (CVE-2022-38023) introduces changes to the Netlogon protocol. These changes are described in KB5021130.

Note:
The update to address this vulnerability for Windows Server 2022 Datacenter: Azure Edition (Server Core) is not hotpatchable. When running Windows Server 2022 Datacenter: Azure Edition (Server Core) as a Domain Controller, install the update for Windows Server 2022 (5019081). This update requires a computer restart.

 

The changes in the supported Kerberos encryption types are applied with the update.

After applying the November 2022 updates, you may encounter errors in the System log on Domain Controller with source Netlogon with Event IDs 5838 (indicating that the Netlogon service encountered a client using RPC signing instead of RPC sealing), 5839  (indicating that the Netlogon service encountered a trust using RPC signing instead of RPC sealing), 5840 (indicating that the Netlogon service created a secure channel with a client with RC4) and/or Event ID 5841 (indicating that the Netlogon service denied a client using RC4 due to the ‘RejectMd5Clients’ setting).

If you encounter these errors, take the following actions:

  1. Confirm that the device is running a supported version of Windows.
  2. Ensure all devices are up to date
  3. Ensure that the Domain member: Domain member Digitally encrypt or sign secure channel data (always) Group Policy setting is set to Enabled.

If the Active Directory environment features non-Windows devices that cause the above errors, you can switch the Netlogon protocol changes into compatibility mode using the following line of Windows PowerShell on all Domain Controllers:

New-ItemProperty -Path "HKLM:\System\CurrentControlSet\Services\Netlogon\Parameters" -Name RequireSeal -Value 1 -PropertyType DWORD –Force

 

In Compatibility mode, Domain Controllers require that Netlogon clients use RPC Seal (meaning: both signs and encrypts)  if they are running Windows, or if they are acting as either Domain Controllers or Trust accounts. Work with the vendor of any third-party devices, applications and/or services to remedy the situation. After remediating these situations, enable the Enforcement mode by removing the RequireSeal registry key or setting the value for the RequireSeal registry key to 2.

The ability to run in compatibility mode will be disabled with the July 2023 updates.

 

Concluding

After applying the November 2022 cumulative updates on all your Domain Controllers, make sure to run the following lines of Windows PowerShell:

New-ItemProperty -Path "HKLM:\System\CurrentControlSet\Services\KDC" -Name KrbtgtFullPacSignature -Value 2 -PropertyType DWORD –Force

 

Then, monitor the System logs on the Domain Controllers to identify any issues with the Kerberos and Netlogon protocol changes.

This way, you’ll not only have addressed the vulnerabilities in CVE-2022-37966, CVE-37967 and CVE-2022-38023), but you can also stay ahead of the curve and not head into issues in the next year with your Domain Controllers.

13 Responses to Spend some Time on Properly Configuring and Monitoring your Domain Controllers this Patch Tuesday

  1.  

    Can you please explain?
    Does this mean that RC4 for Kerberos encryption is no longer available?
    There is a big guide for disabling it from Microsoft. Many systems won't work without it.

    • "ARC4" (RC4_HMAC_MD5) will no longer be used to encrypt Kerberos session keys.

       
  2.  

    Briljant document! thx sander

  3.  

    Hi Sander,

    We ran into Kerberos authentication settings after this updates was installed on a couple of our domain controllers.

    For security reasons our user accounts are configured to only allow AES encryption (checkboxes for enable AES128 and AES256), which set the ms-ds-SupportedEncryptionTypes to a decimal value of 24.
    This updates, besides the info you mention creates a registry setting:
    HKEY_LOCAL_MACHINE\System\currentcontrolset\services\kdc
    DefaultDomainSupportedEncTypes
    value 0x27

    This practically disables AES usage for Kerberos, blocking logon for any account that has a ms-ds-SupportedEncryptionTypes setting of 24 (0x18).

    For now we rolled back the update as it kills Kerberos in our situation.

    As you site is one of the few resources I could find on this update, I post this response so others running into the same issue will have some for of information.

    Will update my findings and post an article on my blog in the near future.

  4.  

    KB5021131 suggests 0x27 is the default for DefaultDomainSupportedEncTypes, but doesn't it mean decimal 27 (0x1B)?

    •  
  5.  

    We previously disabled legacy Kerberos encryption types, exclusively leaving AES256 and future types enabled. We additionally have FAST (Kerberos armouring) enabled, enforce encryption of secure channel data. NTLM is completely disabled in our domain.

    After installing November 2022 updates on Windows Server 2022 users are unable to authenticate. Yes we regularly rotate the krbtgt account password (leaving 10+ hours in between).

    System Event Log messages:
    While processing an AS request for target service krbtgt, the account DIRSYNC$ did not have a suitable key for generating a Kerberos ticket (the missing key has an ID of 1). The requested etypes: 18 3. The accounts available etypes: 23 18.

    PS: 'klist' shows all tickets being of type AES-256-CTS-HMAC-SHA1-96 with 'FAST COMPOUND'.

  6.  

    Since updating I've been getting Event ID 14 "While processing an AS request for target service krbtgt, the account Username did not have a suitable key for generating a Kerberos ticket (the missing key has an ID of 1). The requested etypes : 18 17 23 24 -135 3. The accounts available etypes : 23 18 17. Changing or resetting the password of Username will generate a proper key."

    However, resetting doesn't fix it. Users keep getting a popup asking to lock the computer and sign in with the latest password or smart card. Any recommendations?

    • Hi Mervyn,

      Thank you for your feedback.
      I've experienced the same things and blogged the solution here.

       
  7.  

    Great article, Thanks, Sander!

    We have yet to enforce Kerberos encryption algorithms(ms-DSSupportEncryptionType) on Microsoft Active Directory domain clients.

    Will we ran into kerberos authentication issue after the November update?

    • Hi John,

      These issues extend beyond user objects and computer objects.
      You might still get in trouble with your Active Directory trusts and (group) Managed Service Accounts (gMSAs).
      Here is a line of PowerShell to check them whether your environment is impacted by the Kerberos protocol changes to address CVE-2022-37966.

       
  8.  

    Hi, after installing these updates we have an issue with lsass using all memory on DCs raising exponentially until it reaches 100%. That was not behavior we had before. Any suggestions?

leave your comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.