[German]Microsoft has revised and clarified its guidance on how to close the Netlogon vulnerability in Windows Server installations that act as domain controllers. This is in response to feedback from users who were confused by previous support posts.
The vulnerability, updates and uncertainties
I had reported about the Netlogon vulnerability in Windows Server several times in the blog (see links at the end of the article). The Zerologon vulnerability (CVE-2020-1472) is a privilege escalation vulnerability due to the insecure use of AES-CFB8 encryption for Netlogon sessions. The vulnerability allows unauthorized attackers to take over Active Directory domain controllers (DC), even remotely if the domain controller is accessible via network/internet.
I had addressed this within the blog post: Windows Server: Zerologon vulnerability (CVE-2020-1472) allows domain hijacking. Microsoft had released security updates on August 11, 2020 to mitigate the vulnerability. Since the vulnerability is under attack, Microsoft requested patching (see Zerologon Exploits are used in the wild, patching (Windows Server, Samba) recommended).
Microsoft is closing the vulnerability in two stages, as can be read in the support article KB4557222. With the security update of August 11, 2020 (see link list at the end of the article) the first stage of protection was initiated. In February 2021, the second stage to close the vulnerability will be released.
Microsoft specifies the steps to secure your servers
But the knowledge base article KB4557222 has not only provoked questions here in the blog. Microsoft probably received many questions from unsettled customers and had to react. The colleagues from Bleeping Computer noticed that Microsoft has added the following specification of the procedure in the English version of the support article KB4557222.
To protect your environment and prevent outages, you must do the following:
- UPDATE your Domain Controllers with an update released August 11, 2020 or later.
- FIND which devices are making vulnerable connections by monitoring event logs.
- ADDRESS non-compliant devices making vulnerable connections.
- ENABLE enforcement mode to address CVE-2020-1472 in your environment.
Note Step 1 of installing updates released August 11, 2020 or later will address security issue in CVE-2020-1472 for Active Directory domains and trusts, as well as Windows devices. To fully mitigate the security issue for third-party devices, you will need to complete all the steps.
Warning Starting February 2021, enforcement mode will be enabled on all Windows Domain Controllers and will block vulnerable connections from non-compliant devices. At that time, you will not be able to disable enforcement mode.
In short: For security reasons, it is sufficient to install the security updates of August 11, 2020 and subsequent patches. Administrators should then check which devices are still trying to communicate with the domain controller in an insecure manner and upgrade these devices for secure communication. Only then could the final protection be achieved by setting a registry entry listed in the support article. This will be enforced by Microsoft in February 2021 at the latest by means of a security update.
Patchday: Windows 10-Updates (August 11, 2020)
Patchday: Windows 8.1/Server 2012-Updates (August 11, 2020)
Patchday: Updates for Windows 7/Server 2008 R2 (August 11, 2020)
0patch fixes Zerologon (CVE-2020-1472) vulnerability in Windows Server 2008 R2
Windows Domain Controller suddenly generate EventID 5829 warnings (August 11, 2020)
Windows Server: Zerologon vulnerability (CVE-2020-1472) allows domain hijacking
Windows 10 V1607: Update KB4571694 creates ID 5827 events, bricks MMC
CISA Warning: Patch your Windows Servers against CVE-2020-1472 (Zerologon)
Zerologon Exploits are used in the wild, patching (Windows Server, Samba) recommended
Cookies helps to fund this blog: Cookie settings