Microsoft Strengthens Security of Domain Controllers In Windows Server

windows server

After various security problems with domain controllers in Windows Server, Microsoft decided to carry out a so-called hardening for Netlogon and Kerberos in several steps. The next level of hardening came into effect on Patch Day (July).

This means that established security measures can no longer be circumvented and administrators must comply with the company’s specifications for Windows Server domain controllers.

Microsoft had previously announced Windows Server updates and the first changes in handling the protocols but then changed the schedules several times. Further changes to the Netlogon and Kerberos protocols have now been activated.

enforcement mode

By default, Microsoft protects Windows devices from the vulnerabilities in the Netlogon protocol when using an eRPC signature instead of RPC sealing. Then Windows no longer allows vulnerable connections (enforcer mode). Since June 2023, the new enforcement mode will be enabled on all Windows domain controllers, blocking vulnerable connections from non-compliant devices. It is similar to the Kerberos protocol change. This requires all domain controllers to be updated first before the update goes into Forced mode.

Microsoft is now announcing the new hardening in the Windows Release Health Dashboard.

Leave a Reply