Windows Domain Controller suddenly generate EventID 5829 warnings (August 11, 2020)

[German]Administrators of Active Directory (AD) domain controllers may notice EventID 5829 warnings in the Event Viewer since August 2020 Patchday (August 11, 2020). This is intentional, Microsoft is addressing a problem with a vulnerability (CVE-2020-1472) in Netlogon connections. Admins have to react, because Microsoft is enforcing some things regarding Netlogon connections from February 2021 on.

Domain controller generates EventID 5829 warnings

I'll pull the topic out separately, because it might meet some admins among the blog readers. The topic has fallen on my feet twice. Once there was this short comment within my German blog about the topic. At the same time I had already found a tweet with the reference to a blog post of a MVP colleague.

Knowledgebase: You experience Warnings with EventID 5829 on Domain Controllers https://t.co/bWnQ2KdBTY #DirTeam

— DirTeam.com (@DirTeamCom) August 11, 2020

Sander Berkower points out that Microsoft intentionally creates this event to warn Active Directory administrators about vulnerable Netlogon connections (vulnerability CVE-2020-1472).

The vulnerability CVE-2020-1472

Microsoft describes the CVE-2020-1472 vulnerability as a privilege escalation vulnerability. An attacker could use the Netlogon Remote Protocol (MS-NRPC) to establish a vulnerable connection to a domain controller (DC) through a secure Netlogon channel. An attacker who successfully exploited the vulnerability could run a specially crafted application on a device on the network. The unauthenticated attacker would have to use MS-NRPC to connect to a domain controller to gain access as a domain administrator. The vulnerability affects the following (still supported) server versions:

1. Windows Server 2008 R2
2. Windows Server 2012
3. Windows Server 2012 R2
4. Windows Server 2016
5. Windows Server 2019
6. Windows Server, Version 1903
7. Windows Server, Version 1909
8. Windows Server, Version 2004

Both Server Core and full Windows Server installations are affected.

Vulnerability will be closed step by step

Microsoft plans to fix the vulnerability in a phased, two-part rollout. There will be a 'deployment phase' (starting August 11, 2020) and then an enforcement phase (starting February 9, 2021).

Deployment phase from 1August 1, 2020

As of August 11, 2020, monthly rollups, security only updates and cumulative updates were provided for the above-mentioned server versions. According to Microsoft's CVE-2020-1472 support article, these updates address the vulnerability by changing the way Netlogon handles the use of the secure Netlogon channels.

As a result of the update installation, EventID 5829 warnings are generated by the domain controllers when a vulnerable Netlogon connection is used. This version:

• Forces Secure RPC usage for computer accounts on Windows-based devices.
• Enforces Secure RPC usage for trusted accounts.
• Enforces Secure RPC usage for all Windows and non-Windows DCs.

Microsoft has provided all the details, including Group Policy, in this KB article. The support article also describes what administrators should do when events occur with IDS 5827 and 5828 (connections are denied) and 5829 (vulnerable Netlogon secure channel connection is allowed). The event entries should be responded to before the enforcement phase begins in 2021.

Enforcement phase from February 9, 2021

From February 9, 2021, Microsoft will initiate the transition to the enforcement phase with updates. The DCs will then be in forced mode regardless of the forced mode registry key (described in the KB article).  Force mode requires that all Windows and non-Windows devices use Secure RPC with a secure Netlogon channel or explicitly allow the account by adding an exception for the incompatible device. This version:

• Enforces Secure RPC usage for computer accounts on non-Windows based devices unless allowed by the  "Domain controller: Allow vulnerable Netlogon secure channel connections" Group Policy.
• Removes logging of event ID 5829.  Since all vulnerable connections are denied, only event IDs 5827 and 5828 are now displayed in the system event log.

Again, I would like to refer to this KB article where Microsoft has prepared the details for administrators. So administrators have about 6 months time to react.