[gull] Security hardening for Microsoft RPC Netlogon protocol

Félix Hauri felix at f-hauri.ch
Thu Jul 17 08:47:56 CEST 2025 

J'ai trouvé:

 - July 8, 2025—KB 5062572 (OS Build 20348.3932) 
   https://support.microsoft.com/en-us/topic/july-8-2025-kb-5062572-os-build-20348-3932-d78a2b2a-1ce8-45ee-85a0-e51a897ec67f 
   [Microsoft RPC Netlogon protocol] This update includes a security 
   hardening change to the Microsoft RPC Netlogon protocol. This change 
   improves security by tightening access checks for a set of remote 
   procedure call (RPC) requests. *>*>*After this update is installed, 
   Active Directory domain controllers will no longer allow anonymous 
   clients to invoke some RPC requests through the Netlogon RPC 
   server.*<*<* These requests are typically related to domain controller 
   location. Certain file and print service software can be affected, 
   including Samba. If your organization uses Samba, please refer to the 
   Samba release notes. ​​​​​​​

   Que, à priori cela concerne les requêtes anonymes...

Mais en trouvant cela, j'ai aussi vu ça:

   Windows Secure Boot certificate expiration
   Important: Secure Boot certificates used by most Windows devices are 
   set to expire starting in June 2026. This might affect the ability of 
   certain personal and business devices to boot securely if not updated 
   in time. To avoid disruption, we recommend reviewing the guidance and 
   taking action to update certificates in advance. For details and 
   preparation steps, see Windows Secure Boot certificate expiration and 
   CA updates.

 - Windows Secure Boot certificate expiration and CA updates
   https://support.microsoft.com/en-us/topic/windows-secure-boot-certificate-expiration-and-ca-updates-7ff40d33-95dc-4c3c-8725-a9b95457578e

   Important When the 2011 CAs expire, Windows devices that do not have 
   new 2023 certificates can no longer receive security fixes for 
   pre-boot components compromising Windows boot security.

   Important Without updates, the Secure Boot-enabled Windows devices 
   risk not receiving security updates or trusting new boot loaders 
   which will compromise both serviceability and security.

Le bug de l'an prochain!!

Le Wed, Jul 16, 2025 at 02:48:52PM +0000, TISSOT Jacques via gull a écrit :
> Bonjour,
> 
> Il y a prochainement (fin juillet, je crois) un nouveau dispositif de sécurité sur les contrôleurs de domaine AD.
> 
> Quelqu'un peut-il m'orienter sur l'implication Samba installé sur une Debian Bookworm (Samba V4.17) ? Que devrais-je vérifier dans ma config pour constater que cela me concerne ?
> 
> Merci pour votre aide
> 
> Meilleures salutations
> 
> Jacques

-- 
 Félix Hauri  -  <felix at f-hauri.ch>  -  http://www.f-hauri.ch

More information about the gull mailing list