Hardening is a key element of our ongoing security strategy to help keep your estate protected while you focus on your job. Increasingly creative cyberthreats target weaknesses anywhere possible, from the chip to the cloud. Have you seen our publications on hardening on the Windows message center? Some of those recently enforced include DCOM authentication hardening and Netjoin: domain join hardening. Let's review vulnerable areas that are undergoing hardening in the upcoming months.
Editor's note: This article will be updated over time to provide the latest information about hardening changes and timelines. Last updated: November 27, 2023.
Hardening changes at a glance
Review the visual timeline to focus on the specific changes that are of interest to you. Find the details for each phase below.
A visual timeline of the hardening changes taking place in 2023
Hardening changes by month
Consult the details for all upcoming hardening changes by month to help you plan for each phase and final enforcement.
Netlogon protocol changes KB5021130 | Phase 2 Initial enforcement; removes the ability to disable RPC sealing by setting value 0 to the RequireSeal registry subkey.
Netlogon protocol changes KB5021130 | Phase 3 Enforcement by default. RequireSeal subkey will be moved to Enforcement mode unless you explicitly configure it to be under Compatibility mode.
Kerberos PAC Signatures KB5020805 | Phase 3 Removes the ability to disable PAC signature addition by setting the KrbtgtFullPacSignature subkey to a value of 0.
Editor's note 11.27.2023: The description of the Phase 4 of Netlogon protocol changes now reflects the official documentation.
Netlogon protocol changes KB5021130 | Phase 4 Final enforcement. The Windows updates released on July 11, 2023 will remove the ability to set value 1 to the RequireSeal registry subkey. This enables the Enforcement phase of CVE-2022-38023.
Kerberos PAC Signatures KB5020805 | Phase 4 Enforcement mode as default (KrbtgtFullPacSignature = 3), which you can override with an explicit Audit setting.
Kerberos PAC Signatures KB5020805 | Phase 5 Final, full enforcement.
Active Directory (AD) permissions issue KB5008383 | Phase 5 Final enforcement.
A visual timeline of the hardening changes taking place in 2024