Remediation of CVE-2020-1472 Netlogon elevation of privilege vulnerability

An elevation of privilege vulnerability exists in Microsoft® Windows® when an attacker establishes a vulnerable
Netlogon secure channel connection to a Domain Controller (DC), using the Netlogon Remote Protocol (MS-NRPC).

According to Microsoft:
"An attacker who successfully exploited the vulnerability could run a specially crafted application on a device on the network.
Microsoft is addressing the vulnerability in a phased two-part rollout. These updates address the vulnerability by modifying how
Netlogon handles the usage of Netlogon secure channels.

"For guidelines on how to manage the changes required for this vulnerability and more information on the phased rollout, see
How to manage the changes in Netlogon secure channel connections associated with CVE-2020-1472."

Initial deployment phase

August 11, 2020

Rackspace Technology recommends the following actions:

Note: The managing changes article warns: "Enabling this policy will expose your domain-joined devices and your Active Directory forest, which could put them at to risk. This policy should be used as a temporary measure for third party devices as you deploy updates. Once a third party device is updated to support using secure RPC with Netlogon secure channels, the account should be removed from the Create Vulnerable Connections list. To better understand the risk of configuring accounts to be allowed to use vulnerable Netlogon secure channel connections, please visit https://go.microsoft.com/fwlink/?linkid=2133485."

The managing changes article provides the following helpful information:

  • Policy path: Computer Configuration > Windows Settings > Security Settings > Local Policies > Security Options.
  • Setting name: Domain controller: Allow vulnerable Netlogon secure channel connections.
  • Enable the following registry setting introduced in the August 11, 2020 updates to enable enforcement mode early. This will be enabled regardless of the registry setting in the Enforcement Phase starting on February 9, 2021:
    • Subkey: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Netlogon\Parameters
    • Value: FullSecureChannelProtection
    • Data Type: REG_DWORD.
    • Data:
      • 1: This enables enforcement mode. DCs will deny vulnerable Netlogon secure channel connections unless the account is allowed by the Create Vulnerable Connection list in the "Domain controller: Allow vulnerable Netlogon secure channel connections" group policy.
      • 0: DCs will allow vulnerable Netlogon secure channel connections from non-Windows devices. This option will be deprecated in the enforcement phase release.

Enforcement Phase

February 9, 2021

Rackspace Technology recommends installing the February 2021 patches from Microsoft.

The Microsoft article advises: "This requires all Windows and non-Windows devices to use secure RPC with Netlogon secure channel or explicitly allow the account by adding an exception for the non-compliant device."

After devices receive the February 2021 patch, communication between non-compliant devices is no longer allowed by default.

According to Microsoft: "Secure RPC usage for machine accounts on non-Windows based devices [will be denied] unless allowed by Domain controller: Allow vulnerable Netlogon secure channel connections group policy listed in the Initial Deployment Phase notes above.

"Logging of Event ID 5829 will be removed. Since all vulnerable connections are denied, you will now only see event IDs 5827 and 5828 in the System event log."

If you need any further information or assistance regarding this vulnerability, raise a Support Ticket or call your Rackspace Support Team.