top of page

CVE-2020-1472 Zerologon Netlogon Vulnerabiltiy

Updated: Sep 25, 2020

CVE-2020-1472 - a CVSS-10 privilege escalation vulnerability in Netlogon that could grant anyone full takeover of Active Directory domains.

August 11, 2020 - Initial Deployment Phase:

The initial deployment phase starts with the updates released on August 11, 2020 and continues with later updates until the Enforcement phase. These and later updates make changes to the Netlogon protocol to protect Windows devices by default, logs events for non-compliant device discovery and adds the ability to enable protection for all domain-joined devices with explicit exceptions. This release:

Step 1 Install August 11th Patch

Step 2: Review Event 5829 on Domain controller.

If there is no 5829 Event or all non secure authenticated client remedaited, Create FullSecureChannelProtection registery key to enable enforcement before Feb 2021 patch.

Registery Key: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Netlogon\Parameters

Create DWORD FullSecureChannelProtection

Set value to 1

Step 3, You can create GPO to allow Non secure client as exception.

GPO Path: Computer Configuration > Windows Settings > Security Settings > Security Options

Setting name: Domain controller: Allow vulnerable Netlogon secure channel connections

February 9, 2021 - Enforcement Phase:

The February 9, 2021 release marks the transition into the enforcement phase. The DCs will now be in enforcement mode regardless of the enforcement mode registry key.  This requires all Windows and non-Windows devices to use secure RPC with Netlogon secure channel or explicitly allow the account by adding an exception for the non-compliant device. This release:

  • Enforces secure RPC usage for machine accounts on non-Windows based devices unless allowed by "Domain controller: Allow vulnerable Netlogon secure channel connections" group policy.

  • Logging of Event ID 5829 will be removed.  Since all vulnerable connections are denied, you will now only see event IDs 5827 and 5828 in the System event log.

Please contact to for more information or assistanace in remediation plan.

6 views0 comments

Recent Posts

See All

August 2020 - Microsoft Windows Updates

Microsoft today released updates to plug at least 120 security holes in its Windows operating systems and supported software, including two newly discovered vulnerabilities that are actively being exp

bottom of page