Windows Updates – Netlogon RPC Sealing

Microsoft is getting ready to release the second phase of this security update to address this vulnerability in July. Up till then, system administrators have been able to work around this patch by enabling compatibility mode on the Windows systems themselves without having to worry about the storage backend. Once the new update is installed on the Windows devices in July, all the file shares still leveraging Netlogon/NTLM will simply stop working. Storage solutions hosting the shares will be forced to negotiate the authentication using Kerberos instead of Netlogon/NTLM, and this is the key to make sure that all the shares remain accessible after installing this patch.

Summary: NTLM authentication fails due to enforcement of Netlogon RPC sealing

Windows workaround: Change HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Netlogon\Parameters\RequireSeal” registry key to “1” in order to enable “Compatibility Mode”.

Note that the above workaround will only work until July 11, 2023. In the July 11, 2023 patch update from Microsoft, the ability to configure “Compatibility mode” will be removed, and the only solution at that time will be to make sure that your storage is running a code version new enough to support the newer protocol security requirements.

Solution: Ensuring clients utilize Kerberos authentication will avoid dependency on Netlogon/NTLM domain authentication.

Microsoft CVE-2022-38023

What is RPC signing and RPC sealing?
RPC signing is when the Netlogon protocol uses RPC to sign the messages it sends over the wire. RPC sealing is when the Netlogon protocol both signs and encrypts the messages it sends over the wire.

What is Netlogon?

In a Windows NT operating system-compatible network security environment, the component responsible for synchronization and maintenance functions between a primary domain controller (PDC) and backup domain controllers (BDC). Netlogon is a precursor to the directory replication server (DRS) protocol.The Netlogon Remote Protocol remote procedure call (RPC) interface is primarily used to maintain the relationship between a device and its domain, and relationships among domain controllers (DCs) and domains.

What is RC4-HMAC?

RC4-HMAC (RC4) is a variable key-length symmetric encryption algorithm.