KB5008380—Authentication updates (CVE-2021-42287)

Andreas 1,326 Reputation points
2021-11-18T06:56:55.93+00:00

Hi,

I have some questions regarding KB5008380—Authentication updates (CVE-2021-42287)
https://support.microsoft.com/en-us/topic/kb5008380-authentication-updates-cve-2021-42287-9dafac11-e0d0-4cb8-959a-143bd0201041

From the documentation, November patch,

"After the November 9, 2021 update has been installed on all Active Directory domain controllers for at least 7 days, we strongly suggest that you enable Enforcement mode on all Active Directory domain controllers."

Do I understand correctly that we should do the following on the domain controllers that are patched... or could I just leave it since we have control on updating our domain controllers

  1. Add registry key HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Kdc\PacRequestorEnforcement with REG_DWORD and value 2

What have you done ? :)

Thanks for reply.

/Regards
Andy

Windows Server
Windows Server
A family of Microsoft server operating systems that support enterprise-level management, data storage, applications, and communications.
13,413 questions
Active Directory
Active Directory
A set of directory-based technologies included in Windows Server.
6,738 questions
Windows Server Security
Windows Server Security
Windows Server: A family of Microsoft server operating systems that support enterprise-level management, data storage, applications, and communications.Security: The precautions taken to guard against crime, attack, sabotage, espionage, or another threat.
1,868 questions
0 comments No comments
{count} votes

2 answers

Sort by: Most helpful
  1. Leon Laude 85,841 Reputation points
    2021-11-23T18:25:59.543+00:00

    Hi @Andreas ,

    It is not mandatory to do, only strongly suggested, also according to Microsoft's assessment on the CVE-2021-42287, the exploitation is considered "less likely", so it's not something I would worry about as it will also be automatically patched in the future.

    But if you do choose to proceed with the enforcement, then yes, you will have to create the registry key (DWORD) PacRequestorEnforcement with the value of 2 under the location HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Kdc.

    ----------

    If the reply was helpful please don't forget to upvote and/or accept as answer, thank you!

    Best regards,
    Leon


  2. Limitless Technology 39,736 Reputation points
    2021-12-16T17:28:52.137+00:00

    In the following registry key:

    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Keyboard Layout
    Create a new DWORD value IgnoreRemoteKeyboardLayout and give it the value 1.

    That should be sufficient to solve your problem.


    --If the reply is helpful, please Upvote and Accept as answer--

    0 comments No comments

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.