By Randy Becker, CISO & VP, Network and Security Consulting
On February 9th, Microsoft moved into the second phase of enforcing CVE 2020-1472. This affects companies that are still using legacy unsupported Microsoft operating systems. Will Microsoft finally get closer to closing the vulnerability down? How may customers are affected by this?
As Microsoft announced earlier this month, any organizations with supported versions of Windows Server that are used as a Domain Controller will no longer allow unsupported versions of Windows (Server and Workstation) to communicate with the Domain Controllers unless specific action is taken.
- Unsupported server versions are Server 2008 and older
- Unsupported workstation versions are Windows 7 and earlier
- If these older devices have a current Extended Security Updates (ESU) contract, they will receive the updates and will be able to communicate with the Domain Controllers
The reason for this is that Microsoft will be enforcing secure RPC when using the Netlogon Secure Channel, which secures communication with Domain Controllers.
Read more from Microsoft here:
Hopefully, you all followed the recommendations from Microsoft to ensure your environment was ready on Feb 9th and the full implementation of Secure RPC with Netlogon Secure Channel.
Here are Microsoft’s high-level recommendations:
- UPDATE your Domain Controllers with an update released August 11, 2020 or later.
- FIND which devices are making vulnerable connections by monitoring event logs. (Monitor events 5827, 5828, and 5829 to determine which accounts are using vulnerable secure channel connections.)
- ADDRESS non-compliant devices making vulnerable connections.
- ENABLE enforcement mode to address CVE-2020-1472 in your environment.
If you are not subscribing to Microsoft ESU to keep your unsupported operating systems patched with current security updates, you may have been left with critical systems being offline. If you also have third-party clients that don’t support secure RPC with Netlogon secure channel, these connections will now be denied by the DCs.
- Begin enforcing secure RPC usage for all Windows-based device accounts, trust accounts, and all DCs.
- Log event IDs 5827 and 5828 in the System event log if connections are denied.
- Log event IDs 5830 and 5831 in the System event log if connections are allowed by "Domain controller: Allow vulnerable Netlogon secure channel connections" group policy.
The enforcement kicked in February 9, 2021, with the following:
- Logging of Event ID 5829 was removed. Since all vulnerable connections are denied, you will now only see event IDs 5827 and 5828 in the System event log.
The process of resolving requires that customers install the August update on all DCs, monitoring for the associated events, and remediating non-compliant devices that are using vulnerable Netlogon secure channel connections.
Of important note, non-compliant devices can be allowed to use vulnerable Netlogon secure channel connections, as noted in the published Microsoft knowledge base. The associated security risk should be thoroughly considered before doing this. This risk is significant and easy to exploit.
If you have any questions or need help with this important update, please reach out to your GreenPages Account Executive to see how we can assist with remediation.
Randy is responsible for GreenPages’ overall cyber security strategy, including developing comprehensive policies and procedures to protect critical applications while ensuring business agility and velocity. With more than 30 years in the IT industry, Randy has strong expertise in cyber security and risk management; security operations and optimization; infrastructure modernization; and hybrid cloud architecture, design, and implementation.