On August 11, 2020, Microsoft publicly disclosed the existence of an Elevation of Privilege (EOP) vulnerability pertaining to Netlogon (CVE-2020-1472) that affects all recent versions of Windows Server System’s Active Directory Domain Controllers (DCs). Microsoft uses Netlogon as a service authentication tool used within the Windows Client Authentication Architecture to establish a secure channel between the Domain Controller and the Client. If the CVE-2020-1472 attack is successful, this vulnerability could allow hackers to run code on Active Directory Domain Controllers via the Netlogon Remote Protocol (MS-NRPC) and potentially grant access privileges to themselves as a “Domain Administrator” with FULL admin rights on all Domain-Joined Servers and Workstations, Domain Controllers and Active Directory. In short, it would hand hackers the virtual keys to your network kingdom.
Microsoft’s 2 Phase Vulnerability Mitigation Approach
Microsoft is addressing the vulnerability in a two-part phased rollout to modify how Netlogon handles the usage of secure channels:
Phase 1 took place on August 11, 2020. Microsoft released KB4565351, which included patches to protect Domain Controllers and Windows devices from the recognized vulnerability exploitation.
Phase 2 takes effect on FEB 9, 2021. Microsoft will enable “Domain Controller Enforcement Mode” by default to fully address the bug. This mode will require all Windows and non-Windows device use secure Remote Procedure Call (RPC) with a Netlogon secure channel, unless an exception has been explicitly allowed for a non-compliant device.
** Failure to properly configure non-compliant Active Directory devices before Feb. 9th will likely result in communication failure between domains.**
Omega Systems strongly recommends all organizations to take the following steps as soon as possible:
- Prioritize Domain Controller patches and enable “Domain Controller Enforcement Mode” to address the CVE-2020-1472 vulnerability in your environment.
- Properly configure non-compliance Active Directory devices.
- Monitor event logs to determine which network devices (servers and workstations) are making vulnerable connections.
- Address non-compliant devices that are currently making vulnerable connections with Microsoft-supplied patches.
Smart Support Unlimited Remote, Unlimited and Unlimited Plus customers are required to take NO action, as Omega Systems remains responsible for all patching. Additionally, Omega Systems is currently monitoring customer event logs to thwart any unforeseen disruptions or communication failure issues.
Omega Systems has enabled monitoring in our RMM platform to identify customers that could be impacted by this upcoming security change. Our Technical Account Managers will be in contact with our customers to discuss this upcoming security change and develop a plan to update, remove, or temporarily allow these devices for a time until they can be updated or removed.
Understand how Microsoft evaluates vulnerability risks here: The Microsoft Exploitability Index
Want Microsoft Technical Security Notifications? Click Here: Microsoft Technical Security Notifications