domain controllers Archives

Winsage

January 27, 2026

Microsoft Phases Out RC4 in Kerberos to Boost Security

Microsoft is phasing out the RC4 encryption method used in Kerberos to address vulnerability CVE‑2026‑20833, which allows attackers to exploit weak encryption for offline cracking of service account passwords. The transition timeline includes an initial phase starting January 13, 2026, with new Kerberos audit events and optional registry controls to identify RC4 usage. In April 2026, domain controllers will default to AES‑SHA1, disabling fallback to RC4. By July 2026, Microsoft will remove Audit mode and enforce Enforcement mode, eliminating RC4 from the Kerberos protocol. Organizations are advised to update Active Directory Domain Controllers, monitor System event logs for new audit events, address KDCSVC events, and activate Enforcement mode to enhance security against RC4-related vulnerabilities.

Winsage

December 19, 2025

Microsoft Phases Out RC4 Encryption by 2026 to Bolster Windows Security

Microsoft has announced the phased discontinuation of the RC4 encryption cipher, with full implementation expected by mid-2026. RC4, created in 1987, has been increasingly recognized as a vulnerability, exploited in various high-profile cyberattacks. Microsoft plans to disable RC4 by default in Windows Kerberos authentication, encouraging organizations to transition to more secure alternatives like AES-256. This decision follows years of warnings from the cybersecurity community and aims to eliminate long-standing cryptographic weaknesses. The transition will require organizations to audit and upgrade their infrastructures, as many legacy applications still depend on RC4. Disabling RC4 is expected to reduce the success rates of attacks exploiting weak encryption. Microsoft has introduced tools to help administrators identify hidden RC4 usage. The change reflects a commitment to zero-trust architectures and aligns with recommendations from organizations like NIST. Experts recommend a multi-step approach for organizations to navigate this transition effectively.

Winsage

December 10, 2025

Beyond RC4 for Windows authentication

Two new PowerShell scripts from the Microsoft Kerberos-Crypto GitHub repository have been introduced to enhance cybersecurity by streamlining the monitoring of Security Event logs on domain controllers. 1. List-AccountKeys.ps1: This script queries the Security Event Log for the Keys field, enumerating the keys associated with accounts in the event logs. It provides details such as the timestamp, account name, account type, and specific account keys. For example, it can show that accounts have access to keys like RC4, AES128-SHA96, AES256-SHA96, and AES128-SHA256. 2. Get-KerbEncryptionUsage.ps1: This script allows users to query events to determine which encryption types Kerberos utilized, revealing requests that employed AES256-SHA96. It also offers filtering options for specific encryption algorithms, such as RC4. Organizations can further enhance their security by using SIEM solutions like Microsoft Sentinel or built-in Windows event forwarding to query these logs.

Tech Optimizer

November 13, 2025

Emotet: The horse returns to a gallop more dangerous than ever

Emotet is a Trojan Horse malware that emerged in 2014, impacting over 1.6 million devices and originally designed to steal banking credentials. Developed by the MealyBug criminal organization, it evolved into a modular Trojan-dropper, enabling it to download various payloads and act as Malware-as-a-Service on the dark web. Emotet spreads primarily through spam emails, often using malicious Word or Excel files, and has been disseminated via local area networks and password-protected zip folders. The malware operates through botnets categorized into epochs, with Epochs 1, 2, and 3 dismantled in 2021 by a coordinated international operation. Following this, Emotet resurfaced in November 2021 as Epochs 4 and 5, incorporating a Cobalt Strike beacon for enhanced propagation. Recommended precautions include keeping software updated, using two-factor authentication, and educating employees about email threats. Network administrators are advised to block unscannable email attachments, configure specific email filters, and maintain secure backups.

Winsage

November 12, 2025

Windows Kernel 0-Day Vulnerability Actively Exploited in the Wild to Escalate Privileges

Microsoft has identified a vulnerability in its Windows operating system, designated as CVE-2025-62215, which allows for elevation of privilege within the Windows Kernel. This flaw is currently being exploited in real-world scenarios. Published on November 11, 2025, CVE-2025-62215 is classified as an Important issue and arises from a race condition and improper memory management leading to a double-free scenario. Exploiting this vulnerability requires a high complexity attack and can grant SYSTEM-level privileges to an attacker who is already an authorized user. The affected Windows versions include: - Windows 10 (various builds): KB5068858, November 12, 2025 - Windows 11 version 22H2: KB5068865, November 12, 2025 - Windows 11 version 23H2: KB5068862, November 12, 2025 - Windows 11 version 24H2: KB5068861, November 12, 2025 - Windows Server 2019: KB5068859, November 12, 2025 - Windows Server 2022: KB5068860, November 12, 2025 - Windows Server 2025: KB5068861, November 12, 2025 Organizations are urged to prioritize patching CVE-2025-62215, especially on servers and administrative workstations, as there are currently no workarounds available.

Winsage

November 12, 2025

Windows Kernel 0‑day Vulnerability Actively Exploited in the Wild to Escalate Privilege

Microsoft has identified a critical vulnerability, CVE-2025-62215, affecting the Windows Kernel, which is currently being exploited. This flaw, rated as Important, involves an elevation of privilege issue due to improper synchronization of shared resources, categorized under race condition (CWE-362) and double free (CWE-415). Exploitation requires high complexity and local authorization, allowing attackers to gain SYSTEM privileges for significant control over the system. The vulnerability affects various versions of Windows, including Windows 10, Windows 11 (multiple versions), and Windows Server (2019, 2022, and 2025), with patches released on November 12, 2025. Organizations are advised to prioritize swift patching and detection efforts, especially for servers and administrative workstations.

Winsage

October 22, 2025

Microsoft: Recent Windows updates cause login issues on some PCs

Microsoft has acknowledged a significant issue affecting Windows systems following updates released since August 29, 2025, which are causing authentication failures on devices with duplicate Security Identifiers (SIDs). SIDs are unique alphanumeric strings used by Windows to manage user and computer accounts. The updates enforce checks on SIDs, leading to authentication failures, particularly impacting Windows 11 24H2, Windows 11 25H2, and Windows Server 2025. Users may experience failed remote desktop connections, "Access denied" errors, and failed login attempts despite valid credentials, along with SECENO_CREDENTIALS errors in the Event Viewer. Duplicate SIDs often arise from cloning Windows installations without proper preparation using the Sysprep tool. Microsoft recommends rebuilding systems with duplicate SIDs using supported methods and offers a temporary workaround through a specific Group Policy.

Winsage

October 16, 2025

Microsoft’s October 2025 Patches Disrupt Active Directory Sync on Server 2025 Systems

Microsoft has acknowledged a significant issue affecting Windows Server 2025 systems, particularly after the installation of the October 2025 security updates. This issue disrupts Active Directory directory synchronization, especially impacting organizations with large security groups exceeding 10,000 members. The synchronization failures affect applications relying on DirSync for on-premises Active Directory Domain Services and particularly impact those using Microsoft Entra Connect Sync to link on-premises directories with cloud services. The problem was first noted on October 14, 2025, after the installation of the September 2025 Windows security update (KB5065426). A temporary workaround involves modifying the Windows registry by creating a DWORD value named 2362988687 with a value of 0 under the FeatureManagement Overrides section at HKEYLOCALMACHINE. Microsoft cautions that incorrect registry changes can lead to severe complications. There is no definitive timeline for a permanent fix, and the issue is limited to Windows Server 2025, with no similar problems reported for earlier server editions or client versions of Windows. Organizations using Windows Server 2022 or older are unaffected. Administrators should assess synchronization needs before deploying the October 2025 updates and monitor for updates regarding a permanent resolution.

Winsage

October 16, 2025

Patch Tuesday: Windows 10 end of life pain for IT departments

Microsoft has ceased support for Windows 10 and released a significant Patch Tuesday update addressing several zero-day vulnerabilities, including CVE-2025-24990, which involves a legacy device driver that has been completely removed from Windows. This driver, the Agere Modem driver (ltmdm64.sys), supports hardware from the late 1990s and early 2000s and has not kept pace with modern security practices. The removal of the driver is a strategic decision to reduce security risks associated with outdated components, as patching such legacy code can lead to instability and may not effectively resolve vulnerabilities. Another vulnerability addressed in the update is CVE-2025-2884, related to the Trusted Platform Module (TPM) 2.0 reference implementation. Additionally, CVE-2025-49708, a critical vulnerability in the Microsoft Graphics Component with a CVSS score of 9.9, poses severe risks by allowing a full virtual machine escape, enabling attackers to gain system privileges on the host server from a low-privilege guest VM. Security experts recommend prioritizing patches for this vulnerability to maintain the integrity of virtualization security.

Winsage

October 15, 2025

Patch Tuesday: Windows 10 end of life pain for IT departments

The conclusion of support for Windows 10 has led to the discovery of several zero-day vulnerabilities, including CVE-2025-24990, which involves a legacy device driver that Microsoft has removed. This driver, associated with the Agere Modem, has not been updated to meet modern security standards and is actively exploited by attackers. Microsoft opted to remove the driver rather than patch it, as patching could lead to system instability. Another vulnerability, CVE-2025-2884, relates to the Trusted Platform Module (TPM) 2.0, with Microsoft treating it as a zero-day despite its involvement with the Trusted Computing Group. Additionally, CVE-2025-49708, a flaw in the Microsoft Graphics Component, has a CVSS score of 9.9 and allows attackers to escape from a guest virtual machine to the host operating system, posing significant security risks.