SamrUnicodeChangePasswordUser4 (OpNum 73)įor complete list of MS-SAMR OpNums, see Message Processing Events and Sequencing Rules. SamrUnicodeChangePasswordUser2 (OpNum 55)
The updates modify password change pattern of the protocol by adding a new password change method that will use AES. For more information about how passwords are encrypted at rest in Active Directory and locally in the SAM Database (registry), see Passwords Overview. Note CVE-2021-33757 only modifies how passwords are encrypted in-transit when using specific APIs of the MS-SAMR protocol and specifically DO NOT modify how passwords are stored at rest. Unsupported versions of Windows should be discontinued or upgraded to a supported version. No additional configuration changes are required beyond installing protections for CVE-20201-33757 included in the JWindows updates or later Windows updates on all supported versions of Windows. By default, the changes in CVE-20201-33757 are enabled and provide additional security at the SAM layer. Although SMB also supports encryption, it is not enabled by default.
MS-SAMR uses SMB over RPC and named pipes. If AES encryption is not supported by the SAM server, fallback to the legacy RC4 encryption will be allowed.Ĭhanges in CVE-20201-33757 are specific to the MS-SAMR protocol and are independent of other authentication protocols. The JWindows updates and later Windows updates add protections for CVE-2021-33757.Īfter installing the JWindows updates or later Windows updates, Advanced Encryption Standard (AES) encryption will be the preferred method on Windows clients when using the legacy MS-SAMR protocol for password operations if AES encryption is supported by the SAM server.
#Does ncp secure entry client support aes 256 encryption update#
KB5004605: Update adds AES encryption protections to the MS-SAMR protocol for CVE-2021-33757 Summary
0 kommentar(er)
