Powershell

Create and Configure PacRequestorEnforcement Registry Key with PowerShell

Check and Create PacRequestorEnforcement Registry Key with PowerShell. Configuring Deployment or Enforcement Mode with PowerShell

Highlights

  • Disabled – Represented by a 0 in the value for the PacRequestorEnforcement DWORDDeployment Mode – Represented by a 1 in the value for the PacRequestorEnforcement DWORDEnforcement Mode – Represented by a 2 in the value for the PacRequestorEnforcement DWORD.
  • Until then, I have written a quick PowerShell script to check for the presence of the registry key and then set the value of the new registry key to the relevant value you want to configure.
  • Starting with the rollout of the November 2021 security patches, Microsoft has introduced a new registry key that controls the behavior of your domain controllers until the July 12, 2021 patches are rolled out when the key will be eliminated.

As a follow-up to the news that Microsoft is rolling out a new Kerberos configuration change to remediate security vulnerability CVE-2021-42287. Starting with the rollout of the November 2021 security patches, Microsoft has introduced a new registry key that controls the behavior of your domain controllers until the July 12, 2021 patches are rolled out when the key will be eliminated. Until then, I have written a quick PowerShell script to check for the presence of the registry key and then set the value of the new registry key to the relevant value you want to configure. The key value affects how the domain controllers handle the PAC validation. Let’s see how to create and configure PacRequestorEnforcement registry key with PowerShell.

You can read my initial blog post covering the details of this new key here:

PacRequestorEnforcement registry key

Microsoft has created a specialized registry key to go along with the remediation for CVE-2021-42287 that controls how the new PAC security information is validated and enforced. The vulnerability involves the Kerberos Privilege Attribute Certificate (PAC) and allows potential attackers to impersonate domain controllers.

With the new process, Microsoft has added information to the PAC to validate the original requestor to validate they are who they say they are. The new registry key controls the action the domain controller takes in scrutinizing this new PAC information. Read the official information covering the registry key and Event Log entries here:

There are essentially three settings:

  • Disabled – Represented by a 0 in the value for the PacRequestorEnforcement DWORD
  • Deployment Mode – Represented by a 1 in the value for the PacRequestorEnforcement DWORD
  • Enforcement Mode – Represented by a 2 in the value for the PacRequestorEnforcement DWORD

Microsoft does not recommend configuring the registry key with a 0 value for Disabled. They instead recommend using the 1 option. With the registry key set to 1, your domain controller will only log the missing PAC information in the SYSTEM log with new log entries for the new functionality. These will be logged as warnings as shown below:

Warning in the SYSTEM log from the PacRequestorEnforcement registry key set to 1
Warning in the SYSTEM log from the PacRequestorEnforcement registry key set to 1

To control the behavior, you need to manually create the PacRequestorEnforcement DWORD manually and set the relevant configuration setting for your environment.

Create and Configure PacRequestorEnforcement Registry Key with PowerShell

The following PowerShell script checks for the presence of the DWORD and also configures the setting as a default to 1. The script does not allow setting the value to 0 as this is not recommended by Microsoft. If you rerun the script it will also allow changing the value from 1 to 2 and then from 2 to 1 if you want to go either direction.

You can clone the script from my Github repo here:

# Script to check for the existence of the PacRequestorEnforcement registry key and create it
# It will also allow changing the configured value to reflect the settings defined from Microsoft
# Disable - 0
# Deployment Mode - 1
# Enforcement Mode - 2


try { 
         
    Write-Host "Checking the registry for the presence of the PacRequestorEnforcement" -ForegroundColor Yellow 
    $regkeypath = 'HKLM:\SYSTEM\CurrentControlSet\Services\Kdc'
    $valuename = 'PACRequestorEnforcement'
    $check = (Get-ItemProperty $regkeypath).PSObject.Properties.Name -contains $valuename
         
    if ($check -ne $null -and $check -ne 'true') { 
        try { 
             
            Write-Warning "Your Domain Controller does not have the PACRequestorEnforcement Registry Key. Would you like to add it and set value to 1?" -WarningAction Inquire 

            $Name = "PacRequestorEnforcement"

            $value = "1"

            New-ItemProperty -Path $regkeypath -Name $name -Value $value -PropertyType DWORD -Force | Out-Null            
            Write-Host "Your Domain Controller now has the PacRequestorEnforcement registry key" -ForegroundColor Green 

        } 
        catch { 
            Write-Host "You chose not to implement the PacRequestorEnforcement registry key" -ForegroundColor Red 
        } 
    }     
    else { 

        $pacvalue = (Get-ItemProperty -Path $regkeypath -Name $valuename).$valuename 


        Write-Host "Your Domain Controller already has the PacRequestorEnforcement DWORD and is set to $pacvalue" -ForegroundColor Green

        if ($pacvalue -eq "2") {

            Write-Warning "Your Domain Controller has the PacRequestorEnforcement DWORD set to 2. Would you like to set the value back to 1 for audit-only" -WarningAction Inquire
        
            $Name = "PacRequestorEnforcement"

            $value = "1"

            New-ItemProperty -Path $regkeypath -Name $name -Value $value -PropertyType DWORD -Force | Out-Null            
            Write-Host "Your Domain Controller now has the PacRequestorEnforcement DWORD set to 1 - Deployment/Audit mode" -ForegroundColor Green

        }

        if ($pacvalue -eq "1") {

            Write-Warning "Your Domain Controller has the PacRequestorEnforcement DWORD set to 1. Would you like to set the value to 2 for enforcement mode?. Make sure you are doing this consistently across your DCs." -WarningAction Inquire
        
            $Name = "PacRequestorEnforcement"

            $value = "2"

            New-ItemProperty -Path $regkeypath -Name $name -Value $value -PropertyType DWORD -Force | Out-Null            
            Write-Host "Your Domain Controller now has the PacRequestorEnforcement DWORD set to 2 - Enforcement mode" -ForegroundColor Yellow


        }


    }    
    
    
     
} 
         
catch { 
    Write-Host "Error running the script" -ForegroundColor Red 
}

Wrapping Up

The new PacRequestorEnforcement registry key is the current way organizations can control the behavior of how domain controllers scrutinize and enforce the new PAC information added for remediating CVE-2021-42287. Using the script, you can create and configure PacRequestorEnforcement registry key with PowerShell to ensure it is introduced consistently and in an automated fashion.

Subscribe to VirtualizationHowto via Email đŸ””

Enter your email address to subscribe to this blog and receive notifications of new posts by email.

Brandon Lee

Brandon Lee is the Senior Writer, Engineer and owner at Virtualizationhowto.com and has over two decades of experience in Information Technology. Having worked for numerous Fortune 500 companies as well as in various industries, Brandon has extensive experience in various IT segments and is a strong advocate for open source technologies. Brandon holds many industry certifications, loves the outdoors and spending time with family.

Related Articles

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.