Microsoft recently released a patch (CVE-2020-1472) to fix a software issue in the Microsoft Windows Netlogon Remote Protocol (MS-NRPC). As noted on a Secura blog, an unauthenticated attacker with network access to a domain controller could exploit this vulnerability, dubbed Zerologon, to compromise all Active Directory (AD) identity services. An attacker does not need credentials to gain privileges on the network, only access to the domain. Install this update on your domain controllers as soon as possible if you have not done so already.
The Netlogon Remote Protocol is a remote procedure call (RPC) interface available on Windows domain controllers. It’s used to facilitate users logging into servers using the NTLM protocol. As Secura notes in its whitepaper, “By simply sending a number of Netlogon messages in which various fields are filled with zeroes, an attacker can change the computer password of the domain controller that is stored in the AD. This can then be used to obtain domain admin credentials and then restore the original DC password. This attack has a huge impact: it basically allows any attacker on the local network (such as a malicious insider or someone who simply plugged in a device to an on-premise network port) to completely compromise the Windows domain.”
The US Cybersecurity and Infrastructure Security Agency (CISA) warns that exploit code for this vulnerability has been released to the web, and Microsoft reports that it has already observed attacks where those public exploits have been used.
While Microsoft has patched CVE-2020-1472, you need to perform additional steps to be fully protected especially when interacting with non-Microsoft platforms. If you have installed the August 11 (or later) security updates to your domain controllers, that’s all you need to do for now, but there’s more to be done. If you install the patch on Windows devices, you are protected if you have a network that includes only supported Windows devices. Non-Microsoft devices that may not support this setting will expose your domain for attacks, and that’s why Microsoft will enforce secure RPC usage for accounts on non-Windows devices in February 2021.
As Microsoft notes in its documentation, phase two starts with the February 9, 2021 updates where enforcement mode will be enabled on all Windows domain controllers, regardless of the registry or Group Policy settings. Domain controllers will deny vulnerable connections from all non-compliant devices unless they are added to the "Domain controller: Allow vulnerable Netlogon secure channel connections" group policy.
August Netlogon patch details
The current phase one release from this August enforces secure RPC usage for:
- Machine accounts on Windows-based devices
- Trust accounts
- All Windows and non-Windows DCs
It also includes a new group policy to allow device accounts that use vulnerable Netlogon secure channel connections. Even when DCs are running in enforcement mode or after the enforcement phase starts, allowed devices will not be refused connection.
A new FullSecureChannelProtection registry key enables DC enforcement mode for all machine accounts. It also adds new events for accounts that are denied or would be denied in the DC enforcement mode (and will continue in the Enforcement phase). The specific event IDs are explained later.
The patches make changes to the Netlogon protocol to protect Windows devices by default, logs events for non-compliant device discovery and adds the ability to enable protection for all domain-joined devices with explicit exceptions.
After patching, review domain controller event logs
Once you’ve installed the August 2020 (or later) updates, review the event logs in the domain controller for the following events in the system event log:
- Log event IDs 5827 and 5828 if connections are denied
- Log event IDs 5830 and 5831 if connections are allowed by "Domain controller: Allow vulnerable Netlogon secure channel connections" group policy
- Log event ID 5829 whenever a vulnerable Netlogon secure channel connection is allowed.
These events should be addressed before the DC enforcement mode is configured or before the enforcement phase starts on February 9, 2021. You can use a script to review your event logs for impact. Export the event logs into .evtx format.
After installing updates to your domain controllers, review the event logs for Netlogon events that point to devices or connections that are not connecting securely. Review the logs to prepare for when the update enters enforcement mode.
Prepare now for the February Netlogon patch
It’s recommended to not wait for this enforcement, but to test and determine if you will be further impacted by this change in Netlogon protocol by making changes in the group policy of your domain controller now rather than later.
The setting regarding encrypting and signing secure channel data (always) will be enabled and enforced in February 2021. This setting is not currently enabled.
Susan Bradley
Group policy to enable "Domain Member: digitally encrypt or sign secure channel data (always)"
Alternatively, you can enable the FullSecureChannelProtection registry key to enable DC enforcement mode for all machine accounts. (The enforcement phase will update DCs to DC enforcement mode.)
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Netlogon\Parameters\FullSecureChannelProtection
REG_DWORD
Setting the value to "1" enables enforcement mode. Setting the value to "0" means domain controllers will allow vulnerable Netlogon secure channel connections from non-Windows devices. This option will be deprecated in the enforcement phase release.
The August update adds a group policy to your patched domain controllers to allow for exceptions to the policy of secure RPC communication. Should you have any non-compliant systems that fail to communicate after the enforcement occurs in February, you can whitelist these transmissions and either accept the risk or work with your vendors to upgrade and fix the issue. Take the time between now and February to determine the impact to your organization.
Add these exceptions to this new group policy, "Domain controller: Allow vulnerable Netlogon secure channel connections". Add them to the domain controller’s organizational unit (OU). The group policy should list the security descriptors of those accounts that need to have exclusions made.
Susan Bradley
New policy to allow exclusions
This policy is supported on at least Windows Server 2008 R2. You can determine the security descriptor by entering the command sc sdset <ServiceName> <ServiceSecurityDescriptor>.
If you merely patch now and do not take the next step of enforcement, all proof-of-concept exploits will not work on patched machines. The remaining risk arises from third-party devices for which secure MS-NRPC is not enforced. An attacker could still reset the computer password of these devices as stored in AD, which would deny service by effectively disconnecting those devices from the domain. This might also allow man-in-the-middle attacks similar to CVE-2019-1424, where an attacker could get local admin access to these particular devices.
What should you do immediately? Install the August updates on your domain controllers. Then look in your event logs for signs that you have legacy systems that will cause issues in February. Start the investigation now so you won’t be blindsided by the impact of February’s mandatory enforcement.