Field Notes: Zerologon | CVE-2020-1472 | Manage Netlogon secure channel changes

The Netlogon vulnerability, CVE-2020-1472 (also known as Zerologon) is well documented and includes all the required remediation and preparation steps for the next update coming February 2021. We are less than a month away from the enforcement phase, and I have found that some customers are still unsure of what they need to do in regards to this vulnerability and the security updates. I’ve decided to publish this post to clarify the required actions, and tools available after deploying the August 2020 security update.


Release schedule

The vulnerability is being addressed in two phases, with phase one released already:

  • August 11, 2020 – Initial deployment phase
  • February 9, 2021 – Enforcement phase

This blog post covers the initial deployment phase with the steps required to prepare your environment for the enforcement phase.


Changes to Netlogon protocol

The August 2020 security update is phase one of the vulnerability mitigations. There are some changes to expect on your Domain Controllers after installing this security update. A summary of the changes are listed below:


Secure RPC enforcement

Secure RPC will be enforced for all Windows computer accounts, Active Directory trust accounts and Domain Controllers. Secure RPC will not be enforced for 3rd party (non-Windows) computer accounts until the enforcement phase.


New Group Policy setting

A new Group Policy setting is added after installing the update:

  • Domain controller: Allow vulnerable Netlogon secure channel connections
  • Policy path: Computer Configuration > Windows Settings > Security Settings > Local Policies > Security Options

Registry key

A new registry value is provided to manually enable enforcement mode before the February 2021 security update:

  • Key value: FullSecureChannelProtection
  • Registry subkey: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Netlogon\Parameters

New System event log events

New events are available to identify connections that are denied after installing the August 2020 update, and any connections that would be denied after installing the February 2021 update.

There are 3 categories of new events, the event ID’s are as follows:

  • 5827 and 5828
  • 5830 and 5831
  • 5829

Deployment steps

The following steps can be followed to ensure readiness for the enforcement phase and prevent negative impact in your environment after installing the February 2021 update.


Update your Domain Controllers

The first step is to ensure that all Domain Controllers have the August 2020 security update deployed. You should expect the new behavior on the Domain Controllers after the update is installed, as summarized earlier in this post.


Monitor and review events in the System Event Log

Most of the remediation work will involve reviewing the new events that may be logged in the System event log. Monitoring these events will be the only way to manage and prevent impact during the enforcement phase.


Collecting events

Existing monitoring tools such as SCOM can be used to collect these events. If your Domain Controllers are connected to a Log Analytics workspace, you can also configure Log Analytics to collect the events from the System event log. I’ve previously published a blog post showing how Log Analytics can be used to collect SMB1 audit log events.

The System event log is available for selection from the drop down menu when adding a new Windows event log from the Log Analytics workspace:



An example script which can be modified to fit your environment is also provided. The script will process EVTX files exported from Event Viewer and create an Excel file with pivot tables from the events.

An Azure Sentinel workbook is also available to detect and understand the events that are logged during initial deployment phase. The link is provided in the references section of this post.


Event ID 5827 and 5828

These events are logged when a vulnerable Netlogon secure channel connection was denied. This may seem irrelevant since we are only in the initial deployment phase and not in the enforcement phase. It is important to understand that the initial deployment phase will immediately protect connections from Windows computer accounts, Active Directory trust accounts and Domain Controllers. This means any unsecure connections from a Windows computer will be denied after the August 2020 update is installed.

Event 5827 will be logged when unsecure connections from Windows computer accounts are denied. We should not be expecting any of these events during the initial deployment phase, but if you do find these events for Windows devices, it may indicate a misconfiguration in your environment. You don’t want to see event 5827 during the initial deployment phase, you will experience trust relationship errors on these computers.

Verify that the affected device is a currently supported Windows Operating System. You should also check that the following security policy setting is not set to Disabled on the affected device. This may be the most likely cause for Windows devices to be logged in event 5827. The correct and default value for this setting is Enabled.

  • Domain member: Digitally encrypt or sign secure channel data (always)
  • Policy path: Computer Configuration > Windows Settings > Security Settings > Local Policies > Security Options

Event 5828 may be logged for unsecure non-Windows “Domain Controllers” or trusts. You will need to work with the vendor of these to remediate, or they can be excluded using the provided Group Policy setting. Exclusions are covered under the “Event ID 5830 and 5831” section.


Event ID 5829

These events would be expected for non-Windows computers in the domain. This event will be logged when a non-compliant, non-Windows computer account makes an unsecure connection to the Domain Controller.

During the initial deployment phase, secure connections are only enforced for Windows computer accounts. Secure connections are not enforced for non-Windows accounts (3rd party). The unsecure connection will be allowed and event ID 5829 will be logged. The reason for this is that these unsecure connections, from non-Windows computer accounts, will be denied after the enforcement phase. The purpose of the event is to detect the non-complaint computers.

Work with the vendor to remediate these affected devices, or they can be excluded using the provided Group Policy setting. Exclusions are covered under the “Event ID 5830 and 5831” section.

Reviewing these events would be the most important task in regards to preparing for the February 2021 security update. If you don’t have any non-Windows computer accounts, then you won’t see this event ID in the System event log. Not all non-Windows computer accounts use unsecure connections, and may already be using secure connections. If you do have non-Windows computer accounts in your domain, and do not have any 5829 events, then this is an indication that they are already using secure connections, and will not be affected during the enforcement phase.


Event ID 5830 and 5831

A new Group Policy setting is provided after installing the August 2020 security update:

Domain controller: Allow vulnerable Netlogon secure channel connections

This group policy allows for exclusions, which means accounts that are added to this Group Policy will be allowed to make unsecure connections to the Domain Controllers, even after the enforcement phase. These will be the affected accounts logged in event ID 5829 that cannot be remediated immediately.

This is not recommended as the desired state to mitigate the vulnerability is to always enforce secure connections. Allowing unsecure connections leaves the forest vulnerable to attack.

That being said, we are less than a month away from the February 2021 update and you may not be able to remediate all the 3rd party devices before the update is released. Having a few exclusions while still working towards remediation is still better than delaying the deployment of the February 2021 update. This would ensure that only the known non-compliant devices are allowed, and prevent any new or unknown non-compliant devices from being introduced in the domain.

Event 5830 and 5831 will be logged when an unsecure connection is allowed because of the account being added to the Group Policy. You will only see these event ID’s if you have added accounts to the Group Policy setting. Event ID 5830 is logged for computer accounts and Event ID 5831 for trust accounts.


Enable enforcement mode with registry key

You may find that there aren’t any non-compliant accounts or you have remediated all the non-compliant accounts. You may want to enable enforcement mode earlier, instead of waiting for the February 2021 update to be deployed. You should confirm that event ID 5829 are no longer logged in the System event log, before enabling enforcement mode.

A new DWORD value named FullSecureChannelProtection can be added to the registry key path: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Netlogon\Parameters. Setting the key value to 1 will enable enforcement mode.

When the February 2021 update gets installed, this value will be 1, regardless of what you have manually configured in the registry. Ensure all non-compliant accounts are remediated or excluded before installing the February 2021 update. Setting the key value to 0 after installing this update will not allow unsecure connections.


Summary

I’ve listed the task required to prepare for the enforcement phase of the Netlogon vulnerability mitigations. I hope this will help to start working towards compliance in your own environment. Below is a summary of the tasks required before deploying the February 2021 security update on your Domain Controllers.

  • Deploy the August 2020 update on all Domain Controllers
  • Review the new events in the System event log.
  • Event ID 5828: Work with the vendor for support to remediate non-compliant 3rd party (non-Windows) trust accounts, or add exclusion to group policy.
  • Event ID 5827: Remediate security policy settings for Windows accounts or ensure it is a currently supported Operating System if you confirmed that the security policy setting is compliant.
  • Event 5829: Work with vendor for support to remediate non-compliant 3rd party (non-Windows) devices, or add exclusion to Group Policy.
  • Group Policy: Domain controller: Allow vulnerable Netlogon secure channel connections
  • Enable enforcement using registry key. Only after all non-compliant devices are remediated or exclusions are added to Group Policy.
  • Continue working on non-compliant devices that are excluded using the Group Policy. These non-compliant devices leaves the forest vulnerable.

References and other links

CVE-2020-1472 – Security Update Guide – Microsoft – Netlogon Elevation of Privilege Vulnerability

How to manage the changes in Netlogon secure channel connections associated with CVE-2020-1472 (microsoft.com)

Script to help in monitoring event IDs related to changes in Netlogon secure channel connections associated with CVE-2020-1472 (microsoft.com)

Netlogon Domain Controller Enforcement Mode is enabled by default beginning with the February 9, 2021 Security Update, related to CVE-2020-1472 – Microsoft Security Response Center

Remediate Vulnerable Secure Channel Connections with the Insecure Protocols Workbook – Microsoft Tech Community

ZeroLogon is now detected by Microsoft Defender for Identity (CVE-2020-1472 exploitation) – Microsoft Tech Community

Collect and export SMBv1 audit events using Azure Log Analytics – Azure Cloud & AI Blog

Deploy Azure Advanced Threat Protection (ATP) – Azure Cloud & AI Blog


Author