Summary

The January 11, 2022, Windows updates and later Windows updates add protections for CVE-2022-21913.

After you install the January 11, 2022, Windows updates or later Windows updates, Advanced Encryption Standard (AES) encryption will be set as the preferred encryption method on Windows clients when you use the legacy Local Security Authority (Domain Policy) (MS-LSAD) protocol for trusted domain object password operations that are sent over a network. This is true only if AES encryption is supported by the server. If AES encryption is not supported by the server, the system will allow fallback to the legacy RC4 encryption.

Changes in CVE-2022-21913 are specific to the MS-LSAD protocol. They are independent of other protocols. MS-LSAD uses Server Message Block (SMB) over remote procedure call
(RPC) and named pipes. Although SMB also supports encryption, it is not enabled by default. By default, the changes in CVE-2022-21913 are enabled and provide additional security at the LSAD layer. No additional configuration changes are required beyond installing the protections for CVE-2022-21913 that are included in the January 11, 2022, Windows updates and later Windows updates on all supported versions of Windows. Unsupported versions of Windows should be discontinued or upgraded to a supported version. 

Note CVE-2022-21913 modifies only how trust passwords are encrypted in-transit when you use specific APIs of the MS-LSAD protocol and specifically do not modify how passwords are stored at rest. For more information about how passwords are encrypted at rest in Active Directory and locally in the SAM Database (registry), see Passwords technical overview

More information

Changes made by the January 11, 2022, updates 

How the new behavior works

The existing LsarOpenPolicy2 method is typically used to open a context handle to the RPC server. This is the first function that must be called to contact the Local Security Authority (Domain Policy) Remote Protocol database. After you install these updates, the LsarOpenPolicy2 method is superseded by the new LsarOpenPolicy3 method. 

An updated client that calls the LsaOpenPolicy API will now call the LsarOpenPolicy3 method first. If the server is not updated and does not implement the LsarOpenPolicy3 method, the client falls back to the LsarOpenPolicy2 method, and it uses the previous methods that uses RC4 encryption. 

An updated server will return a new bit in the LsarOpenPolicy3 method response, as defined in LSAPR_REVISION_INFO_V1. For more information, see the "AES Cipher Usage" and "LSAPR_TRUSTED_DOMAIN_AUTH_INFORMATION_INTERNAL_AES" sections in MS-LSAD.

If the server supports AES, the client will use the new methods and new information classes for subsequent trusted domain "create" and "set" operations. If the server does not return this flag, or if the client is not updated, the client will fall back to using the previous methods that use RC4 encryption. 

Event logging

The January 11, 2022, updates add a new event to the security event log to help identify devices that are not updated, and to help improve security. 

Value

Meaning

Event source

Microsoft-Windows-Security 

Event ID

6425

Level 

Information

Event message text

A network client used a legacy RPC method to modify authentication information on a trusted domain object. The authentication information was encrypted with a legacy encryption algorithm. Consider upgrading the client operating system or application to use the latest and more secure version of this method. 

Trusted Domain: 

  • Domain Name:
    Domain ID:

Modified By: 

  • Security ID:
    Account Name:
    Account Domain:
    Logon ID:

Client Network Address: 
RPC Method Name: 

For more information, go to https://go.microsoft.com/fwlink/?linkid=2161080.

Frequently Asked Questions (FAQ) 

Q1: What scenarios trigger a downgrade from AES to RC4? 

A1: A downgrade occurs if the server or client does not support AES.    

Q2: How can I tell whether RC4 encryption or AES encryption was negotiated? 

A2: Updated servers will log event 6425 when legacy methods that use RC4 are used.  

Q3: Can I require AES encryption on the server, and will future Windows updates programmatically enforce using AES? 

A3: There is currently no enforcement mode available. However, there might be in the future, although no such change is scheduled. 

Q4: Do third-party clients support protections for CVE-2022-21913 to negotiate AES when supported by the server? Should I contact Microsoft Support or the third-party support team to address this question?   

A4: If a third-party device or application is not using the MS-LSAD protocol, then this is not important. Third-party vendors that implement the MS-LSAD protocol might choose to implement this protocol. For more information, contact the third-party vendor.  

Q5: Do any additional configuration changes have to be made?  

A5: No additional configuration changes are necessary.  

Q6: What uses this protocol?   

A6: The MS-LSAD protocol is used by many Windows components, including Active Directory and tools such as the Active Directory Domains and Trusts console. Applications might also use this protocol through advapi32 library APIs, such as LsaOpenPolicy or LsaCreateTrustedDomainEx.

Related documentation

Need more help?

Expand your skills
Explore Training
Get new features first
Join Microsoft Insiders

Was this information helpful?

What affected your experience?

Thank you for your feedback!

×