Net logon protocol changes related to CVE-2022-38023 impacted NTLM users authentications

Question

Hi Experts / Team,

I would like to patch my windows domain controllers but there was a incident during last patch due to KB5021130. As I understand this patch was disable the RPC Signing/Seal protocol changes as reference of CVE2022-38023. It was rejected the NTLM authentication after this patch and rolled back to resolve that issue.

I'm looking experts opinion that "How to mitigate the Net logon protocol changes related to CVE-2022-38023 and do the latest Microsoft updates without impacting NTLM users authentications.

Answer 1

Hi Muru.A,

Thank you for posting on the Microsoft Community Forum.

Given the situation you described, where applying the KB5021130 patch resulted in issues with NTLM authentication due to changes in RPC signing/sealing protocols as referenced by CVE-2022-38023, here are some expert recommendations to mitigate the protocol changes associated with CVE-2022-38023 without affecting NTLM authentication while still applying the latest Microsoft updates:

1. Evaluate Impact: First, assess the impact of CVE-2022-38023 on your network environment. Understand the potential security risks associated with the RPC signing/sealing protocol changes and weigh them against the impact of NTLM authentication issues.
2. Review Patch Notes: Carefully review the patch notes and documentation provided by Microsoft for KB5021130 and any related updates. Look for specific guidance on mitigating the impact of CVE-2022-38023 while ensuring compatibility with NTLM authentication.
3. Consider Workarounds: Explore possible workarounds or configuration changes that can help mitigate the impact of the RPC protocol changes. This might involve adjusting security settings, registry entries, or group policy settings related to RPC or NTLM authentication.
4. Test in a Lab Environment: Before applying any changes to your production environment, conduct thorough testing in a lab environment to validate the effectiveness of proposed solutions. Test various scenarios to ensure that NTLM authentication continues to function properly while addressing CVE-2022-38023 concerns.

5.*Implement Alternative Security Measures: In addition to addressing CVE-2022-38023, consider implementing alternative security measures to compensate for any potential vulnerabilities introduced by disabling or modifying RPC signing/sealing protocols. This could include strengthening network segmentation, implementing additional access controls, or enhancing monitoring and detection capabilities.

6. Monitor for Updates: Stay informed about any further updates or patches released by Microsoft that address the issues with RPC signing/sealing protocols and NTLM authentication. Regularly review Microsoft's security advisories and announcements to ensure that your environment remains protected against emerging threats.
7. Engage with Microsoft Support: If you encounter challenges or require additional assistance in mitigating the impact of CVE-2022-38023 while maintaining NTLM authentication compatibility, consider reaching out to Microsoft Support for expert guidance and support tailored to your specific environment and requirements.

By following these recommendations and taking a systematic approach to address the issues with RPC signing/sealing protocols and NTLM authentication, you can effectively mitigate the security risks associated with CVE-2022-38023 while ensuring the continued functionality and security of your Windows domain controller environment.

Best regards

Neuvi Jiang