How to manually set RequireSeal registry key to Compatibility Mode
The November 8, 2022 and later Windows updates address weaknesses in the Netlogon protocol when RPC signing is used instead of RPC sealing. More information can be found in CVE-2022-38023 .
The Netlogon Remote Protocol remote procedure call (RPC) interface is primarily used to maintain the relationship between a device and its domain , and relationships among domain controllers (DCs) and domains.
This update protects Windows devices from CVE-2022-38023 by default. For third-party clients and third-party domain controllers, update is in Compatibility mode by default and allows vulnerable connections from such clients. Refer to the Registry Key settings section for steps to move to Enforcement mode.
To help secure your environment, install the Windows update that is dated November 8, 2022 or a later Windows update to all devices, including domain controllers.
Important Starting June 2023, Enforcement mode will be enabled on all Windows domain controllers and will block vulnerable connections from non-compliant devices. At that time, you will not be able to disable the update, but may move back to the Compatibility mode setting. Compatibility mode will be removed in July 2023, as outlined in the Timing of updates to address Netlogon vulnerability CVE-2022-38023 section.
Timing of updates to address CVE-2022-38023
Updates will be released in several phases: the initial phase for updates released on or after November 8, 2022 and the Enforcement phase for updates released on or after July 11, 2023.
The initial deployment phase starts with the updates released on November 8, 2022 and continues with later Windows updates until the Enforcement phase. Windows updates on or after November 8, 2022 address security bypass vulnerability of CVE-2022-38023 by enforcing RPC sealing on all Windows clients.
By default, devices will be set in Compatibility mode. Windows domain controllers will require that Netlogon clients use RPC seal if they are running Windows, or if they are acting as either domain controllers or as trust accounts.
The Windows updates released on or after April 11, 2023 will remove the ability to disable RPC sealing by setting value 0 to the RequireSeal registry subkey.
The RequireSeal registry subkey will be moved to Enforced mode unless Administrators explicitly configure to be under Compatibility mode. Vulnerable connections from all clients including third-parties will be denied authentication. See Change 1.
The Windows updates released on July 11, 2023 will remove the ability to set value 1 to the RequireSeal registry subkey. This enables the Enforcement phase of CVE-2022-38023.
Registry Key settings
After the Windows updates that are dated on or after November 8, 2022 are installed, the following registry subkey is available for the Netlogon protocol on Windows domain controllers.
RequireSeal subkey
| Registry key | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Netlogon\Parameters |
| Value | RequireSeal |
| Data type | REG_DWORD |
| Data | 0 – Disabled 1 – Compatibility mode. Windows domain controllers will require that Netlogon clients use RPC Seal if they are running Windows, or if they are acting as either domain controllers or Trust accounts. 2 – Enforcement mode. All clients are required to use RPC Seal. |
| Restart required? | No |
“Computer\HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Netlogon\Parameters”
- right-click on the right window, from the context menu, choose “New”, and then “DWORD (32-bit) Value
- On the new DWORD, type “RequireSeal” and click Enter
Note: It is very important to ensure that the R and S is capitalized and there is no space, if not, the key will not be recognized
-
Next, double-click the key to open the key editor, from the editor, set the value under “Value data:” to 1, and then click “OK”
The Netlogon service encountered a trust using RPC signing instead of RPC sealingUnable to access CIFS share via NTLM authentication using IP
Note: Access via FQDN or HOSTNAME may work
- Domain Controller (DC) Windows Event log shows
ERRORfor Event ID 5838 for affected SVM and references Windows OS:
Log Name: System
Source: NETLOGON
Date: 06/16/2023 8:06:11 AM
Event ID: 5838
Task Category: None
Level: Error
Keywords: Classic
User: N/A
Computer: Windowstechno.local
Description:
The Netlogon service encountered a client using RPC signing instead of RPC sealing.Machine SamAccountName: CIFSNT01
Domain: Windowstechno.local.
Account Type: Domain Member
Machine Operating System: Windows 10 Enterprise
Machine Operating System Build: 10.0 (19044)
Machine Operating System Service Pack: N/A
Client IP Address: Unknown IP
So, that’s all in this blog. I will meet you soon with next stuff. Have a nice day!!!
Guys please don’t forget to like and share the post. Also join our WindowsTechno Community and where you can post your queries/doubts and our experts will address them.
You can also share the feedback on below windows techno email id.
If you have any questions, feel free to contact us on admin@windowstechno.com also follow us on facebook@windowstechno to get updates about new blog posts.
