ZeroLogon Vulnerability

Patching is not enough! Act now!

Microsoft recently announced the ZeroLogon vulnerability CVE-2020-1472, which has been classified as level 10/10 and Critical.

This vulnerability means that with a specifically crafted packet and connectivity to your domain an attacker can compromise your systems very simply without the need for credentials. This is very worrying and what’s even more worrying is the effort needed to close this vulnerability is dependent up on the amount of technical debt on your estate. Let us guide you through it….

There are four steps to remediate this vulnerability:

Update

Windows updates will be released in two phases

  • Initial Phase – Domain Controllers need to be patched with an update released August 11, 2020 or later
  • Enforcement Phase (on or after February 9, 2021) – Domain controllers will be set to enforcement mode regardless of the enforcement mode registry key described in the Enable section below in this post

This patch is only publicly available for Domain Controllers running a supported operating system e.g Windows 2012 R2 or later.

  • Domain Controllers running Windows Server 2008 R2 will need an Extended Support Update (ESU) license to receive the available patch
  • For all other older operating systems a patch will not be available

If you are running any of these operating systems you should urgently consider upgrading your Domain Controllers. Get in touch with us here if you want to accelerate your domain controller upgrades, our Active Directory specialists are on hand to help.

Once your domain controllers are patched, devices can still authenticate to Active Directory using a non-secure Netlogon connection and your domain is still vulnerable. However your domain controllers will now

  • Enforce secure RPC for all machine accounts on windows-based devices, trust accounts and all windows and non-Windows DCs
  • Log new events 5827, 5828 and 5829 for any vulnerable connections that will be denied when enforcement mode is enabled

Find

After a few days of normal business operation query your SIEM for event log entries 5827, 5828 and 5829 – but primarily 5829. This will detail the devices that cannot function securely.

If you don’t have a SIEM you can run the following PowerShell script as a domain administrator, update the -after date to when your servers were patched (UK date format below change to US if required) and change the path to output the data correctly (it will also display on screen). The script finds all unique values and exports to CSV so you can review the output once complete.

#Get list of domain controllers to query
$domaincontrollers = Get-ADDomain | select -ExpandProperty ReplicaDirectoryServers
#Loop through DC’s pulling back the relevant event ID’s within the time frame listed in the script below
Foreach($DC in $Domaincontrollers){
write-output “Querying $DC”
$output += Invoke-Command -ComputerName $DC -ScriptBlock {
Get-EventLog system -source netlogon -after “01/09/2020 17:00:00” | Where-Object {$_.EventID -like “5829”} | select eventid, replacementstrings
Get-EventLog system -source netlogon -after “01/09/2020 17:00:00” | Where-Object {$_.EventID -like “5827”} | select eventid, replacementstrings
Get-EventLog system -source netlogon -after “01/09/2020 17:00:00” | Where-Object {$_.EventID -like “5828”}
}

}

#Write the output to screen and CSV
Write-Output $output = $output | sort-object * -Unique
$output = $output | sort-object * -Unique | export-csv -NoTypeInformation d:\neil\vulnerable_netlogon.csv

Address

You now need to remediate the systems that are still vulnerable, by either

  • Patching
  • Upgrading
  • Decommissioning
  • Migrating to a new service

Devices that you cannot remediate immediately will need to be whitelisted using a new group policy to continue to function. This group policy is introduced via the patch and should only be considered a short-term solution as it does not remove the vulnerability. An attacker could still easily compromise whitelisted devices and utilise the permissions those computer accounts have.

Warnings aside here is what you need to do:

  1. Create an AD group used to add your non-compliant computer accounts
  2. Create a new delta group policy and configure the following setting
    • Computer Configuration | Windows Settings| Security Settings | Local Policies | Security Options
    • Domain controller: Allow vulnerable Netlogon secure channel connections
    • Set to Allow and specify the AD Group that contains the computer accounts and/or usernames temporarily allowed to still authenticate insecurely

Devices within this category are most likely legacy servers hosting resources that can possibly be migrated to one of the many cloud platforms available today.

We have upcoming feature posts around application and file server migrations to the cloud releasing shortly so check back again very soon or get in touch.

Enable/Enforcement

Deploying patches to your domain controllers on or after February 9, 2021 will automatically turn on enforcement mode. All non-compliant devices will need to be in the allow list or secure channel connections will be denied which will more than likely impact services.

To be fully secure now which is what H3O Digital recommend, you can turn on enforcement mode prior to February. To do so amend the following registry key on your domain controllers or create a group policy with a registry preference configuring the require setting:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Netlogon\Parameters
FullSecureChannelProtection
REG_DWORD
1 (this is to enable it)

Summary

The countdown begins…

Is your business impacted by this upcoming patch?
Do you need expert assistance or assurance on resolving this vulnerability?
Do you want to accelerate cloud adoption to avoid such vulnerabilities in the future and/or need guidance on the latest PaaS & IaaS cloud offerings?

H3O Digital are already helping businesses achieve their digital goals and we can help yours too. Contact us now.