Microsoft Announcement:
Microsoft Netlogon Vulnerability

Cornerstone.IT Gold Microsoft Partner
Connect with us at
www.Cornerstone.IT/contact for the latest updates.
Please read thoroughly as this may affect you.

Ask us how we can help secure your environment with the top 10-12 security enhancements every firm should have.  #ITCornerView

Please read thoroughly.

As of February 9, 2021, any Microsoft customer that has a supported version of Windows Server that is used as a Domain Controller in their environment will no longer allow legacy, unsupported Windows systems (i.e., Windows 7, Windows Server 2008) to talk to the supported Windows Server Domain Controller unless specific action takes place. As an example, if a Microsoft customer has Windows 7 Pro desktops without Extended Support, and they have a Windows Server 2012 or higher Domain Controller, on February 9, 2021, those Windows 7 Pro devices will no longer be able to communicate with the Windows 2012 or higher Domain Controllers.


Summary

The Netlogon Remote Protocol (also called MS-NRPC) is an RPC interface that is used exclusively by domain-joined devices. MS-NRPC includes an authentication method and a method of establishing a Netlogon secure channel. These updates enforce the specified Netlogon client behavior to use secure RPC with Netlogon secure channel between member computers and Active Directory (AD) domain controllers (DC).

This security update addresses the vulnerability by enforcing secure RPC when using the Netlogon secure channel in a phased release explained in the Timing of updates to address Netlogon vulnerability CVE-2020-1472 section. To provide AD forest protection, all DCs, must be updated since they will enforce secure RPC with Netlogon secure channel. This includes read-only domain controllers (RODC).


February 9, 2021 – Enforcement Phase

The February 9, 2021 release marks the transition into the enforcement phase. The DCs will now be in enforcement mode regardless of the enforcement mode registry key.  This requires all Windows and non-Windows devices to use secure RPC with Netlogon secure channel or explicitly allow the account by adding an exception for the non-compliant device. This release:

Addressing event 5829

Event ID 5829 is generated when a vulnerable connection is allowed during the initial deployment phase. These connections will be denied when DCs are in enforcement mode. In these events, focus on the machine name, domain and OS versions identified to determine the non-compliant devices and how they need to be addressed.

The ways to address non-compliant devices:

  • Recommended Work with the device manufacturer (OEM) or software vendor to get support for secure RPC with Netlogon secure channel:Logging of Event ID 5829 will be removed. Since all vulnerable connections are denied, you will now only see event IDs 5827 and 5828 in the System event log.
    • a. If the non-compliant device supports secure RPC with Netlogon secure channel, then enable secure RPC on the device.
    • b. If the non-compliant device DOES NOT currently support secure RPC with Netlogon secure channel, work with the device manufacturer or software vendor to get an update that allows secure RPC with Netlogon secure channel to be enabled.
    • c. Retire the non-compliant device.
  • Vulnerable If a non-compliant device cannot support secure RPC with Netlogon secure channel before DCs are in enforcement mode, add the device using the “Domain controller: Allow vulnerable Netlogon secure channel connections” group policy described below.

Warning Allowing device accounts to use vulnerable connections by the group policy will put these AD accounts at risk. The end goal should be to address and remove all accounts from this group policy.

For full details of this situation and solutions, please read through the Microsoft knowledgebase article linked below or Contact Cornerstone.IT immediately, we can help:

https://support.microsoft.com/en-us/topic/how-to-manage-the-changes-in-netlogon-secure-channel-connections-associated-with-cve-2020-1472-f7e8cc17-0309-1d6a-304e-5ba73cd1a11e

Avoid business continuity disruption by including Windows 10 upgrade in your 2021 budget.  Cornerstone.IT is a Microsoft Gold partner with a history of successful Windows upgrades.

#ITBudgetPlanning #LegalIT #ITCornerView

Cornerstone.IT graphic
Share Button