Remediation of CVE-2020-1472 Netlogon elevation of privilege vulnerability
An elevation of privilege vulnerability exists in Microsoft® Windows® when an attacker establishes a vulnerable
Netlogon secure channel connection to a Domain Controller (DC), using the Netlogon Remote Protocol (MS-NRPC).
According to Microsoft:
"An attacker who successfully exploited the vulnerability could run a specially crafted application on a device on the network.
Microsoft is addressing the vulnerability in a phased two-part rollout. These updates address the vulnerability by modifying how
Netlogon handles the usage of Netlogon secure channels.
"For guidelines on how to manage the changes required for this vulnerability and more information on the phased rollout, see
How to manage the changes in Netlogon secure channel connections associated with CVE-2020-1472."
Initial deployment phase
August 11, 2020
Rackspace Technology recommends the following actions:
- Limit access to port 135 at the firewall level to internal devices.
- Install at least the August 2020 patches from Microsoft as recommended: https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1472.
- Monitor for non-compliant devices with event ID 5829. A
Microsoft support article
offers the following particulars:- "After the August 11, 2020 updates have been applied to DCs, events can be collected in DC event logs to determine which devices in your
environment are using vulnerable Netlogon secure channel connections. - "Monitor patched DCs for event ID 5829 events. The events will include relevant information for identifying the non-compliant devices.
To monitor for events, use available event monitoring software or by using a script to monitor your DCs. For an example script that you
can adapt to your environment, see
Script to help in monitoring event IDs related to Netlogon updates for CVE-2020-1472."
- "After the August 11, 2020 updates have been applied to DCs, events can be collected in DC event logs to determine which devices in your
- The Microsoft managing changes article adds: "If a non-compliant DC cannot support secure RPC with Netlogon secure channel before the DCs are in enforcement mode, add the machine account using the Domain controller: Allow vulnerable Netlogon secure channel connections group policy described below."
Note: The managing changes article warns: "Enabling this policy will expose your domain-joined devices and your Active Directory forest, which could put them at to risk. This policy should be used as a temporary measure for third party devices as you deploy updates. Once a third party device is updated to support using secure RPC with Netlogon secure channels, the account should be removed from the Create Vulnerable Connections list. To better understand the risk of configuring accounts to be allowed to use vulnerable Netlogon secure channel connections, please visit https://go.microsoft.com/fwlink/?linkid=2133485."
The managing changes article provides the following helpful information:
- Policy path: Computer Configuration > Windows Settings > Security Settings > Local Policies > Security Options.
- Setting name: Domain controller: Allow vulnerable Netlogon secure channel connections.
- Enable the following registry setting introduced in the August 11, 2020 updates to enable enforcement mode early. This will be enabled regardless of the registry setting in the Enforcement Phase starting on February 9, 2021:
- Subkey:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Netlogon\Parameters - Value:
FullSecureChannelProtection - Data Type:
REG_DWORD. - Data:
1: This enables enforcement mode. DCs will deny vulnerable Netlogon secure channel connections unless the account is allowed by the Create Vulnerable Connection list in the "Domain controller: Allow vulnerable Netlogon secure channel connections" group policy.0: DCs will allow vulnerable Netlogon secure channel connections from non-Windows devices. This option will be deprecated in the enforcement phase release.
- Subkey:
Enforcement Phase
February 9, 2021
Rackspace Technology recommends installing the February 2021 patches from Microsoft.
The Microsoft article advises: "This requires all Windows and non-Windows devices to use secure RPC with Netlogon secure channel or explicitly allow the account by adding an exception for the non-compliant device."
After devices receive the February 2021 patch, communication between non-compliant devices is no longer allowed by default.
According to Microsoft: "Secure RPC usage for machine accounts on non-Windows based devices [will be denied] unless allowed by Domain controller: Allow vulnerable Netlogon secure channel connections group policy listed in the Initial Deployment Phase notes above.
"Logging of Event ID 5829 will be removed. Since all vulnerable connections are denied, you will now only see event IDs 5827 and 5828 in the System event log."
If you need any further information or assistance regarding this vulnerability, raise a Support Ticket or call your Rackspace Support Team.
Updated 12 months ago