Share via

Client PAC Validation changes related to CVE-2024-26248 and CVE-2024-29056

Anonymous
2025-02-10T18:55:43+00:00

This article does not mention if registry settings on Windows Clients needs to be made to TEST ENFORCEMENT.

Do they just need Windows Updates April 9, 2024 and later?

https://support.microsoft.com/en-us/topic/how-to-manage-pac-validation-changes-related-to-cve-2024-26248-and-cve-2024-29056-6e661d4f-799a-4217-b948-be0a1943fef1

IS this REG key supposed to be 3 or 4? a

CrossDomainFilteringLevel | Registry Subkey | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\Kerberos\Parameters | | --- | --- | | Value | CrossDomainFilteringLevel | | Data Type | REG_DWORD | | Data | 2 | Default (Compatibility with unpatched environment) | | 4 | Enforce | | Restart Required? | | |

Windows Server Identity and access Active Directory

Locked Question. This question was migrated from the Microsoft Support Community. You can vote on whether it's helpful, but you can't add comments or replies or follow the question. To protect privacy, user profiles for migrated questions are anonymized.

0 comments

2 answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. Anonymous
    2025-02-11T07:27:29+00:00

    Hello

    Regarding the PAC Validation changes related to CVE-2024-26248 and CVE-2024-29056, as described in the article from Microsoft, the enforcement behavior depends on the registry setting you apply, and whether the client has received the appropriate updates.

    Windows Updates and PAC Validation

    For testing enforcement (to assess the new PAC validation behavior), Windows clients need Windows Updates from April 9, 2024, or later. The updates address the vulnerabilities and bring in the changes for PAC (Privilege Attribute Certificate) validation.

    However, to enable enforcement (not just test it), you must adjust the CrossDomainFilteringLevel registry setting. The setting is used to control the level of filtering applied when validating PACs for cross-domain Kerberos requests.

    Registry Setting: CrossDomainFilteringLevel

    The registry key you're referring to is located at:

    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\Kerberos\Parameters
    The specific value for CrossDomainFilteringLevel should be a REG_DWORD type.

    Default (Compatibility with unpatched environments):

    Data: 2
    This setting is for environments that have not been patched or when compatibility is needed with older systems that do not support the new enforcement behavior.

    Enforce (Enabling enforcement of PAC validation changes):

    Data: 4
    This setting forces the new PAC validation behavior to be applied, enforcing the changes and ensuring stricter security checks according to the fixes introduced by the vulnerabilities.

    Summary:

    Do you need registry settings to test enforcement? Yes, to test enforcement of the PAC validation changes, the CrossDomainFilteringLevel registry value needs to be set to 4 (to enforce the changes). If you want to keep the compatibility mode (default), it should be set to 2.

    Do you need just the updates from April 9, 2024, or later? The updates are required for the client to be aware of the vulnerabilities and the fixes. However, enforcing the validation changes requires setting the registry key to 4. If you don't want to enforce it immediately, you can leave the registry key at 2.

    Restart Requirement:

    After making changes to the CrossDomainFilteringLevel registry key, a restart of the client machine is required for the changes to take effect.

    I hope the above information is helpful to you.

    Best regards

    Runjie Zhai

    0 comments
  2. Anonymous
    2025-02-11T11:57:21+00:00

    So the registry entries are needed on BOTH the SERVER side and the CLIENT side to test enforcement then?

    0 comments