question

Andreas-9700 avatar image
0 Votes"
Andreas-9700 asked LeonLaude commented

KB5008380—Authentication updates (CVE-2021-42287)

Hi,

I have some questions regarding KB5008380—Authentication updates (CVE-2021-42287)
https://support.microsoft.com/en-us/topic/kb5008380-authentication-updates-cve-2021-42287-9dafac11-e0d0-4cb8-959a-143bd0201041

From the documentation, November patch,

"After the November 9, 2021 update has been installed on all Active Directory domain controllers for at least 7 days, we strongly suggest that you enable Enforcement mode on all Active Directory domain controllers."

Do I understand correctly that we should do the following on the domain controllers that are patched... or could I just leave it since we have control on updating our domain controllers

  1. Add registry key HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Kdc\PacRequestorEnforcement with REG_DWORD and value 2


What have you done ? :)


Thanks for reply.

/Regards
Andy

windows-serverwindows-active-directorywindows-server-security
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

LeonLaude avatar image
0 Votes"
LeonLaude answered LeonLaude commented

Hi @Andreas-9700,

It is not mandatory to do, only strongly suggested, also according to Microsoft's assessment on the CVE-2021-42287, the exploitation is considered "less likely", so it's not something I would worry about as it will also be automatically patched in the future.


But if you do choose to proceed with the enforcement, then yes, you will have to create the registry key (DWORD) PacRequestorEnforcement with the value of 2 under the location HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Kdc.


If the reply was helpful please don't forget to upvote and/or accept as answer, thank you!


Best regards,
Leon


· 2
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Can you point me to the information about what exactly is changed by setting this regkey? I think it has impact on the ability for a Windows Failover Cluster Virtual Server Object in AD to update the Failover node's server object password.

0 Votes 0 ·
LimitlessTechnology-2700 avatar image
0 Votes"
LimitlessTechnology-2700 answered

In the following registry key:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Keyboard Layout
Create a new DWORD value IgnoreRemoteKeyboardLayout and give it the value 1.

That should be sufficient to solve your problem.




--If the reply is helpful, please Upvote and Accept as answer--

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.