Upcoming Updates to AD, Kerberos, and LDAP

JasonWalker 2023-03-07 18:36:30 UTC #1

Hello everyone, just wanted to ensure you’ve seen that there are upcoming Microsoft changes to Active Directory, Kerberos, and LDAP that may affect your environments.

https://support.microsoft.com/en-us/topic/kb5008383-active-directory-permissions-updates-cve-2021-42291-536d5555-ffba-4248-a60e-d6cbc849cde1

KB5008383—Active Directory permissions updates (CVE-2021-42291)
- Enforcement Mode expected to be enabled by default in April 2023 updates.

https://support.microsoft.com/en-us/topic/kb5020805-how-to-manage-kerberos-protocol-changes-related-to-cve-2022-37967-997e9acc-67c5-48e1-8d0d-190269bf4efb

KB5020805: How to manage Kerberos protocol changes related to CVE-2022-37967
- Enforcement Mode expected to be enabled by default in July 2023 updates.

https://support.microsoft.com/en-gb/topic/kb5021131-how-to-manage-the-kerberos-protocol-changes-related-to-cve-2022-37966-fd837ac3-cdec-4e76-a6ec-86e67501407d

KB5021131: How to manage the Kerberos protocol changes related to CVE-2022-37966
- I don’t see an enforcement date for this one, but a couple of extended warnings. From the MS article, any Windows 2008 R2 or earlier systems may not be accessed from modern Windows systems, unless the 2008 R2 or earlier have ESU support and install the related ESU updates dated November 8, 2022 or later.
- In another forum, I’m seeing references that Citrix and VMWare provisioning services may be impacted. Ref https://support.citrix.com/article/CTX318084/required-permissions-for-citrix-machine-creation-services-and-auditing-information and https://support.citrix.com/article/CTX335812/adding-new-machines-to-mcs-catalog-fails-when-using-a-nondomain-admin-account

D.Dean 2023-03-15 19:42:38 UTC #2

Is there a way to pull the Active Director Event logs?

We created one that runs once a week that pulls the Kerberos Event logs (42,42 and 44)

(event id of it, description of it) of (records whose (event id of it is contained by set of (42;43;44)) of system event log)

If you do not include the date of the event, you can use Reporting to pull the data to excel and dump it in a pivot table. However, we want to do the same for the Active Directory permissions event logs