Upcoming Microsoft Time bombs

Microsoft Authenticator for M365 users

Synopsis: Microsoft will turn on number matching on 2/27/2023 which will undoubtedly cause chaos if you have users who are not smart enough to use mobile devices that are patchable and updated automatically.

Reference: https://learn.microsoft.com/en-us/azure/active-directory/authentication/how-to-mfa-number-match.

Date of change: March 2023

_______


DCOM changes

Synopsis: Changes to the security posture of DCOM (first released in June of 2021) become enforced.

References: https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2021-26414 and https://support.microsoft.com/en-us/topic/kb5004442-manage-changes-for-windows-dcom-server-security-feature-bypass-cve-2021-26414-f1400b52-c141-43d2-941e-37ed901c769c.

Date of change: 03-14-2023

_______


AD Connect 2.0.x

Synopsis: AD Connect 2.0.x versions are going end-of-life for those syncing with M365.

Reference: https://learn.microsoft.com/en-us/azure/active-directory/hybrid/reference-connect-version-history

Date of change: April 2023

_______


AD Permissions issue becomes enforced

Synopsis: To address an Active Directory Domain Services Elevation of Privilege Vulnerability and AD audit mode will become enforced.

References: https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2021-42291 and https://support.microsoft.com/en-us/topic/kb5008383-active-directory-permissions-updates-cve-2021-42291-536d5555-ffba-4248-a60e-d6cbc849cde1

Date of change: 04-11-2023


_______


NetLogon RPC becomes enforced

Synopsis: Windows domain controllers will require that Netlogon clients use RPC seal if they are running Windows, or if they are acting as either domain controllers or as trust accounts.

References: https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2022-38023 and https://support.microsoft.com/en-us/topic/kb5021130-how-to-manage-the-netlogon-protocol-changes-related-to-cve-2022-38023-46ea3067-3989-4d40-963c-680fd9e8ee25

Date of Change: 04-11-2023


_______


Kerberos Protocol Changes

Synopsis: Enforcement mode will be enabled on all Windows domain controllers and will block vulnerable connections from non-compliant devices (aka those using weak RC4-HMAC for negotiation).

References: https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2022-37966 , https://support.microsoft.com/en-us/topic/kb5021131-how-to-manage-the-kerberos-protocol-changes-related-to-cve-2022-37966-fd837ac3-cdec-4e76-a6ec-86e67501407d , https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2022-37967 , and https://support.microsoft.com/en-us/topic/kb5020805-how-to-manage-kerberos-protocol-changes-related-to-cve-2022-37967-997e9acc-67c5-48e1-8d0d-190269bf4efb#timing

Date of change: 07-11-2023


_______


Office 2016/2019 dropped from being able to connect to M365 services

Synopsis: Office 2016/2019 dropped from being able to connect to M365 services due to end-of-support.

References: https://learn.microsoft.com/en-us/deployoffice/endofsupport/microsoft-365-services-connectivity

Date of Change: 10-10-2023


_______


Kerberos/Certificate-based authentication on DCs becomes enforced

Synopsis: Kerberos/Certificate-based authentication on DCs becomes enforced. By 11-14-2023, or later, all devices will be updated to Full Enforcement mode. In this mode, if a certificate fails the strong (secure) mapping criteria, authentication will be denied.

References: https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2022-26931 and https://support.microsoft.com/en-us/topic/kb5014754-certificate-based-authentication-changes-on-windows-domain-controllers-ad2c23b0-15d8-4340-a468-4d4f3b188f16

Date of change: 11-14-2023
 

Leave a Reply

Your email address will not be published. Required fields are marked *