![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(249.60000000000002, 73%, 34%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EAS%3C/text%3E%3C/svg%3E)
Active Directory
A set of directory-based technologies included in Windows Server.
6,792 questions
The impacts on CIFS servers after applying the November 2022 and post-July 2023 cumulative updates for Active Directory (AD) requires examining changes to authentication protocols, particularly related to Kerberos and Netlogon. Below is an analysis based on the references you provided.
1. November 2022 Cumulative Updates (Kerberos Authentication)
The November 2022 updates introduced changes to address vulnerabilities in Kerberos authentication, impacting environments where misconfigurations or weak cryptographic settings existed. Key considerations for CIFS servers include:
Impacts on CIFS (SMB) Servers:
- Kerberos Authentication Hardening:
- The updates implemented stricter enforcement of encryption types (ETypes). If CIFS servers or clients are using deprecated or unsupported ETypes (e.g., RC4-HMAC), Kerberos authentication might fail.
- Ensure that the CIFS server supports AES-based ETypes (AES256-CTS-HMAC-SHA1-96 or AES128-CTS-HMAC-SHA1-96) as RC4 is no longer considered secure and may be blocked post-update.
- Authentication Failures:
- Environments that have not updated their Kerberos configurations to align with the new security requirements might experience CIFS-related authentication issues.
- Errors such as "KRB_AP_ERR_MODIFIED" or "KRB_AP_ERR_KEY_EXPIRED" may occur if the Kerberos tickets are incompatible with the updated policies.
- Environments that have not updated their Kerberos configurations to align with the new security requirements might experience CIFS-related authentication issues.
- The updates implemented stricter enforcement of encryption types (ETypes). If CIFS servers or clients are using deprecated or unsupported ETypes (e.g., RC4-HMAC), Kerberos authentication might fail.
Recommendations:
Verify and Update Supported ETypes:
- Ensure both CIFS servers and domain controllers are configured to support modern ETypes.
- Use
klistorktpasstools to check and update SPNs and keytab files as needed.
- Perform testing in a staging environment before applying the updates to identify potential issues with CIFS server authentication. - Use
2. Post-July 2023 Updates (Netlogon Protocol Changes - CVE-2022-38023)
The updates introduced in response to CVE-2022-38023 are aimed at securing the Netlogon protocol by enforcing secure RPC and disallowing unsigned or non-secure fallback methods. This change affects any service relying on the Netlogon secure channel, including CIFS servers.
Impacts on CIFS Servers:
Netlogon Secure Channel Requirements:
- CIFS servers configured to use insecure communication with AD for authentication or domain membership might lose functionality.
- Servers not using secure RPC with Netlogon could face interruptions, especially if they rely on unsigned or weakly signed traffic.
- The update enforces the use of CBTs in certain configurations. If CIFS servers do not support CBT, they may encounter authentication failures.
Recommendations:
Enable Secure RPC:
- Configure CIFS servers to enforce secure RPC for Netlogon communication. This can typically be achieved by updating SMB or domain membership configurations.
Verify Domain Trusts:
- For environments with multiple domains or trust relationships, ensure all domain controllers are updated and that secure communication is enforced across the board.
**Testing Phase:**
- Deploy updates in a test environment and monitor for CIFS server functionality, particularly authentication workflows.
**Review and Update Configuration:**
- Use the guidelines in [KB5021130](https://support.microsoft.com/en-us/topic/kb5021130-how-to-manage-the-netlogon-protocol-changes-related-to-cve-2022-38023-46ea3067-3989-4d40-963c-680fd9e8ee25) to verify compliance with new security settings.
General Mitigation Steps:
Update CIFS Server Software:
- Ensure that the SMB/CIFS server software is up-to-date and compatible with modern AD authentication and Netlogon requirements.
Audit and Monitor Authentication Logs:
- Monitor event logs on domain controllers for Kerberos and Netlogon-related errors. Pay attention to events like:
- **Event ID 4768/4769**: Kerberos ticket requests.
- **Event ID 5829**: Netlogon secure channel issues.
**Leverage Microsoft's Resources:**
- Utilize Microsoft's troubleshooting tools like the "Kerberos Configuration Checker (KCC)" and security baselines to validate configurations.
**Communicate with Vendors:**
- If using third-party CIFS implementations, consult vendors for updates or patches ensuring compatibility with the latest AD security changes.
By following these recommendations and thoroughly testing your environment, you can mitigate potential disruptions to CIFS server functionality after applying these critical security updates. Let me know if you need more detailed assistance or technical guidance on any specific aspect!