CVE-2020-1472 - a CVSS-10 privilege escalation vulnerability in Netlogon that could grant anyone full takeover of Active Directory domains.
August 11, 2020 - Initial Deployment Phase:
The initial deployment phase starts with the updates released on August 11, 2020 and continues with later updates until the Enforcement phase. These and later updates make changes to the Netlogon protocol to protect Windows devices by default, logs events for non-compliant device discovery and adds the ability to enable protection for all domain-joined devices with explicit exceptions. This release:
Step 1 Install August 11th Patch
Step 2: Review Event 5829 on Domain controller.
If there is no 5829 Event or all non secure authenticated client remedaited, Create FullSecureChannelProtection registery key to enable enforcement before Feb 2021 patch.
Registery Key: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Netlogon\Parameters
Create DWORD FullSecureChannelProtection
Set value to 1
Step 3, You can create GPO to allow Non secure client as exception.
GPO Path: Computer Configuration > Windows Settings > Security Settings > Security Options
Setting name: Domain controller: Allow vulnerable Netlogon secure channel connections
February 9, 2021 - Enforcement Phase:
The February 9, 2021 release marks the transition into the enforcement phase. The DCs will now be in enforcement mode regardless of the enforcement mode registry key. This requires all Windows and non-Windows devices to use secure RPC with Netlogon secure channel or explicitly allow the account by adding an exception for the non-compliant device. This release:
Enforces secure RPC usage for machine accounts on non-Windows based devices unless allowed by "Domain controller: Allow vulnerable Netlogon secure channel connections" group policy.
Logging of Event ID 5829 will be removed. Since all vulnerable connections are denied, you will now only see event IDs 5827 and 5828 in the System event log.
Please contact to info@thecloudconsulting.com for more information or assistanace in remediation plan.
Comentários