Spend some Time on Properly Configuring and Monitoring your Domain Controllers this Patch Tuesday

Reading Time: 5 minutes

Windows Server

This Patch Tuesday, Microsoft addressed 68 vulnerabilities. Of these vulnerabilities, three vulnerabilities are specific to Windows Server installations running as Domain Controllers. These updates are not of the ‘update and forget’ type of updates, but require some more work. So, spend some time on properly configuring your Domain Controllers, this Patch Tuesday.

The three vulnerabilities that are of importance this month are:

CVE-2022-37966 Windows Kerberos RC4-HMAC Elevation of Privilege Vulnerability
CVE-2022-37967 Windows Kerberos Elevation of Privilege Vulnerability
CVE-2022-38023 Netlogon RPC Elevation of Privilege Vulnerability

Kerberos Protocol changes (CVE-2022-37966)

An unauthenticated attacker could conduct an attack that could leverage cryptographic protocol vulnerabilities in RFC4757 and MS-PAC (Privilege Attribute Certificate Data Structure specification) to bypass security features in an Active Directory environment.

The update that addresses this vulnerability (CVE-2022-37966) introduced changes to the Kerberos protocol. These changes are described in KB5021131.

Note:
The update to address this vulnerability for Windows Server 2022 Datacenter: Azure Edition (Server Core) is not hotpatchable. When running Windows Server 2022 Datacenter: Azure Edition (Server Core) as a Domain Controller, install the update for Windows Server 2022 (5019081). This update requires a computer restart.

The update sets the Advanced Encryption Standard (AES) as the default encryption type for Kerberos session keys on user objects that are not marked with a default encryption type, when the update is installed on all devices, including Domain Controllers. This corresponds with the Network Security: Configure encryption types allowed for Kerberos Group Policy setting on devices.

The following encryption types are typically available:

DES_CBC_CRC
DES_CBC_MD5
RC4_HMAC_MD5
AES128_HMAC_SHA1
AES256_HMAC_SHA1

However, since Windows 7 and Windows Server 2008 R2, DES_CBC_CRC and DES_CBC_MD5 are no longer supported as supported Kerberos encryption types. With the November 2022 updates, the default supported Kerberos encryption types for session keys in the operating system no longer include RC4_HMAC_MD5.

The changes in the supported Kerberos encryption types for session keys are applied with the update.

After applying the November 2022 updates, you may encounter errors in the System log on Domain Controller with Event ID 42:

The Kerberos Key Distribution Center lacks strong keys for account:
You must update the password of this account to prevent use of insecure cryptography.
See https://go.microsoft.com/fwlink/?linkid=2210019 to learn more.

If you encounter these errors, rotate the krbtgt password using the script from Microsoft that is available to do so. The new password for krbtgt is then AES encrypted. Then, change the password for the user object(s) indicated in the event log item(s),

Kerberos Protocol changes (CVE-2022-37967)

An authenticated attacker could leverage cryptographic protocol vulnerabilities in Windows Kerberos. If the attacker gains control on the service that is allowed for delegation, they can modify the Kerberos PAC to elevate their privileges.

The update that addresses this vulnerability (CVE-2022-37967) introduced changes to the Kerberos protocol. These changes are described in KB5020805.

These changes are not applied with the update, but need to be manually enabled. However, the changes will be automatically enabled with the June 2023 updates.

After applying the November 2022 updates to all Domain Controllers, all Domain Controllers will have signatures added to the Kerberos PAC Buffer. However, to identify areas that either are missing PAC signatures or have PAC Signatures that fail validation through, enable Audit mode using the following line of Windows PowerShell on all Domain Controllers:

New-ItemProperty -Path "HKLM:\System\CurrentControlSet\Services\KDC" -Name KrbtgtFullPacSignature -Value 2 -PropertyType DWORD –Force

After enabling Audit mode, you may encounter warnings in the System log on Domain Controller with Event ID 43 with source Kdcsvc to indicate Full PAC signature failures:

The Key Distribution Center (KDC) encountered a ticket that it could not validate the full PAC Signature.
See https://go.microsoft.com/fwlink/?linkid=2210019 to learn more.

After enabling Audit mode, you may encounter warnings in the System log on Domain Controller with Event ID 44 with source Kdcsvc to indicate missing Full PAC signatures:

The Key Distribution Center (KDC) encountered a ticket that did not contained the full PAC Signature.
See https://go.microsoft.com/fwlink/?linkid=2210019 to learn more.

Work with the vendor of any third-party Domain Controllers, devices and/or applications to remedy the situation. After remediating these situations, enable the Enforcement mode by either:

Removing the KrbtgtFullPacSignature registry key.
(Effectively enabling the default setting now, Enabling Audit Mode with the December 2022 updates and enabling Enforcement Mode with the June 2023 updates)
setting the value for the KrbtgtFullPacSignature registry key to 3.
(Effectively enabling the Enforcement Mode directly)

All devices will be configured to run in Audit mode with the December 2022 updates.
The ability to run in Audit mode will be disabled with the October 2023 updates.

Netlogon Protocol changes (CVE-2022-38023)

An authenticated attacker could leverage cryptographic protocol vulnerabilities in the Windows Netlogon protocol when RPC Signing is used instead of RPC Sealing. Where RPC Signing is used instead of RPC Sealing the attacker could gain control of the service and then might be able to modify Netlogon protocol traffic to elevate their privileges.

The update that addresses this vulnerability (CVE-2022-38023) introduces changes to the Netlogon protocol. These changes are described in KB5021130.

The changes in the supported Kerberos encryption types are applied with the update.

After applying the November 2022 updates, you may encounter errors in the System log on Domain Controller with source Netlogon with Event IDs 5838 (indicating that the Netlogon service encountered a client using RPC signing instead of RPC sealing), 5839 (indicating that the Netlogon service encountered a trust using RPC signing instead of RPC sealing), 5840 (indicating that the Netlogon service created a secure channel with a client with RC4) and/or Event ID 5841 (indicating that the Netlogon service denied a client using RC4 due to the ‘RejectMd5Clients’ setting).

If you encounter these errors, take the following actions:

Confirm that the device is running a supported version of Windows.
Ensure all devices are up to date
Ensure that the Domain member: Domain member Digitally encrypt or sign secure channel data (always) Group Policy setting is set to Enabled.

If the Active Directory environment features non-Windows devices that cause the above errors, you can switch the Netlogon protocol changes into compatibility mode using the following line of Windows PowerShell on all Domain Controllers:

New-ItemProperty -Path "HKLM:\System\CurrentControlSet\Services\Netlogon\Parameters" -Name RequireSignorSeal -Value 1 -PropertyType DWORD –Force

In Compatibility mode, Domain Controllers require that Netlogon clients use RPC Seal (meaning: both signs and encrypts) if they are running Windows, or if they are acting as either Domain Controllers or Trust accounts. Work with the vendor of any third-party devices, applications and/or services to remedy the situation. After remediating these situations, enable the Enforcement mode by removing the RequireSignorSeal registry key or setting the value for the RequireSignorSeal registry key to 2.

The ability to run in compatibility mode will be disabled with the July 2023 updates.

Concluding

After applying the November 2022 cumulative updates on all your Domain Controllers, make sure to run the following lines of Windows PowerShell:

New-ItemProperty -Path "HKLM:\System\CurrentControlSet\Services\KDC" -Name KrbtgtFullPacSignature -Value 2 -PropertyType DWORD –Force

Then, monitor the System logs on the Domain Controllers to identify any issues with the Kerberos and Netlogon protocol changes.

This way, you’ll not only have addressed the vulnerabilities in CVE-2022-37966, CVE-37967 and CVE-2022-38023), but you can also stay ahead of the curve and not head into issues in the next year with your Domain Controllers.

Posted on November 8, 2022 by Sander Berkouwer in Active Directory, Security Updates

21 Responses to Spend some Time on Properly Configuring and Monitoring your Domain Controllers this Patch Tuesday

Can you please explain?
Does this mean that RC4 for Kerberos encryption is no longer available?
There is a big guide for disabling it from Microsoft. Many systems won't work without it.

from Iorat November 9, 2022 at 1:00 AM
- "ARC4" (RC4_HMAC_MD5) will no longer be used to encrypt Kerberos session keys.
  
  from Sander Berkouwer November 13, 2022 at 1:24 PM
Briljant document! thx sander

from Erik Bakker November 10, 2022 at 11:56 AM
Hi Sander,

We ran into Kerberos authentication settings after this updates was installed on a couple of our domain controllers.

For security reasons our user accounts are configured to only allow AES encryption (checkboxes for enable AES128 and AES256), which set the ms-ds-SupportedEncryptionTypes to a decimal value of 24.
This updates, besides the info you mention creates a registry setting:
HKEY_LOCAL_MACHINE\System\currentcontrolset\services\kdc
DefaultDomainSupportedEncTypes
value 0x27

This practically disables AES usage for Kerberos, blocking logon for any account that has a ms-ds-SupportedEncryptionTypes setting of 24 (0x18).

For now we rolled back the update as it kills Kerberos in our situation.

As you site is one of the few resources I could find on this update, I post this response so others running into the same issue will have some for of information.

Will update my findings and post an article on my blog in the near future.

from Leo de Groot November 10, 2022 at 12:00 PM
KB5021131 suggests 0x27 is the default for DefaultDomainSupportedEncTypes, but doesn't it mean decimal 27 (0x1B)?

from Dave Hope November 10, 2022 at 12:37 PM
- It appears so.
  
  from Sander Berkouwer November 13, 2022 at 1:16 PM
We previously disabled legacy Kerberos encryption types, exclusively leaving AES256 and future types enabled. We additionally have FAST (Kerberos armouring) enabled, enforce encryption of secure channel data. NTLM is completely disabled in our domain.

After installing November 2022 updates on Windows Server 2022 users are unable to authenticate. Yes we regularly rotate the krbtgt account password (leaving 10+ hours in between).

System Event Log messages:
While processing an AS request for target service krbtgt, the account DIRSYNC$ did not have a suitable key for generating a Kerberos ticket (the missing key has an ID of 1). The requested etypes: 18 3. The accounts available etypes: 23 18.

PS: 'klist' shows all tickets being of type AES-256-CTS-HMAC-SHA1-96 with 'FAST COMPOUND'.

from David Herselman November 10, 2022 at 5:28 PM
Since updating I've been getting Event ID 14 "While processing an AS request for target service krbtgt, the account Username did not have a suitable key for generating a Kerberos ticket (the missing key has an ID of 1). The requested etypes : 18 17 23 24 -135 3. The accounts available etypes : 23 18 17. Changing or resetting the password of Username will generate a proper key."

However, resetting doesn't fix it. Users keep getting a popup asking to lock the computer and sign in with the latest password or smart card. Any recommendations?

from Mervyn November 11, 2022 at 1:16 PM
- Hi Mervyn,
  
  Thank you for your feedback.
  I've experienced the same things and blogged the solution here.
  
  from Sander Berkouwer November 13, 2022 at 1:14 PM
Great article, Thanks, Sander!

We have yet to enforce Kerberos encryption algorithms(ms-DSSupportEncryptionType) on Microsoft Active Directory domain clients.

Will we ran into kerberos authentication issue after the November update?

from John November 15, 2022 at 2:26 PM
- Hi John,
  
  These issues extend beyond user objects and computer objects.
  You might still get in trouble with your Active Directory trusts and (group) Managed Service Accounts (gMSAs).
  Here is a line of PowerShell to check them whether your environment is impacted by the Kerberos protocol changes to address CVE-2022-37966.
  
  from Sander Berkouwer November 16, 2022 at 7:52 AM
Hi, after installing these updates we have an issue with lsass using all memory on DCs raising exponentially until it reaches 100%. That was not behavior we had before. Any suggestions?

from Kalle November 22, 2022 at 9:22 AM
- This is a known issue, unfortunately.
  
  However, if you run Windows Server 2022-based Domain Controller and are experiencing this issue, you might want to take a look at How to troubleshoot high Lsass.exe CPU utilization on Active Directory Domain Controllers
  
  from Sander Berkouwer November 28, 2022 at 11:54 PM
Updates and OOB updates have been installed – no issues!

from Bjarne Abraham December 30, 2022 at 9:55 AM
Good detailed article, well done.

from Rich February 22, 2023 at 2:51 PM
If we skipped the November update, and applied updates in January, do we need to set the audit key?

from John March 1, 2023 at 7:12 PM
- The KrbtgtFullPacSignature registry key in the context of CVE-2022-37967 does not need to be configured with a value of 2 after you install the December 2022, or later cumulative updates for Windows Server. It will be configured with this value automatically.
  
  Note:
  Looking forward when you install the October 2023, or later cumulative updates for Windows Server, the KrbtgtFullPacSignature registry key will be removed.
  
  from Sander Berkouwer March 2, 2023 at 6:30 PM
We have 7 DCs. Out of 7, three DCs are Win 2012 R2 and 4 DCs are Win 2019. Security tool reporting this vulnerability only on win 2019 DCs. I have installed nov 2022 patches on Win 2019 servers and didn't create any registry to move it audit mode or enforcement mode. Will this vulnerability auto fixed after 10th October when full enforcement phase will be released. CVE-2022-37967

from Fazal August 24, 2023 at 9:09 AM
- Yes, when you install the July 11, 2023 updates for Windows Server 2019 (or later updates), the settings are applied.
  More information on the timing can be found here.
  
  from Sander Berkouwer September 11, 2023 at 3:34 PM
Sorry, but I'm still confused. Is the reg key needs to be created in order to apply the fix or it will apply automatically at this point? Since the reg key will disappear next month, do I still need to add to monitor? is this roll out is only for us to get ahead of time and fix before start denying?

Thanks!

from John September 11, 2023 at 11:52 PM
- Hi John,
  
  For CVE-2022-37967, the KrbtgtFullPacSignature registry key can be used to enable the changes by configuring the value 2.
  When you have installed the October 10, 2023 updates for Windows Server (or later updates), the registry key no longer applies and the changes are always enabled.
  Whether the registry key exists from that build of Windows Server onwards is irrelevant.
  
  from Sander Berkouwer September 13, 2023 at 4:13 PM