Earlier in 2020, a security bug was discovered in Microsoft Windows Systems that the US Cybersecurity and Infrastructure Security Agency (CISA) issued an emergency order to all federal departments to address the issue. In this article, we’ll help you understand why this vulnerability warrants emergency status, the potential impact to your business and what you can do to avoid issues when February 9th rolls around.

Secure RPC Overview

In August Microsoft patched a very interesting vulnerability that would allow an attacker with a foothold on your internal network to essentially become Domain Admin with one click. This is according to security firm, Secura, which discovered the bug. All that is required is for a connection to the Domain Controller to be possible from the attacker’s viewpoint.
Since then, IT administrators have been urged to prioritize the installation of this security patch for Windows Server. In September, Microsoft reported that it is seeing the vulnerability exploited by hackers.

Fixing the Vulnerability

Microsoft is addressing the vulnerability in a phased two-part rollout. These updates address the vulnerability by modifying how Netlogon handles the usage of Netlogon secure channels.

Phase 1 – Initial Deployment Phase (Began in August 11, 2020)
In August, Microsoft released the first phase of a two-phase fix to force secure RPC with Netlogon.

Phase 2 – Enforcement Phase (Begins February 9, 2021)
The second phase activates an enforcement mode. “The DCs will now be in enforcement mode regardless of the enforcement mode registry key. This requires all Windows and non-Windows devices to use secure RPC with Netlogon secure channel or explicitly allow the account by adding an exception for the non-compliant device.” Specifically, the policy will;

  • Enforce secure RPC usage for machine accounts on Windows-based devices.
  • Enforce secure RPC usage for trust accounts.
  • Enforce secure RPC usage for all Windows and non-Windows DCs.

How Can This Impact My Business?

Devices that are non-compliant with secure RPC will not be able to connect to the domain. This will include any non-supported Microsoft operating systems including Server 2003, 2008, 2008r2, W7.

This will also include Non-Windows devices that connect to Microsoft Active Directory Domain Services such as Storage Area Network/Network Attached Storage devices, Linux Operating Systems and non-Windows based products that do not support connecting via Secured RPC connection.

Devices that cannot connect to a patched Microsoft Active Directory Domain Controller will not be able to authenticate with or share resources with any Microsoft Active Directory domain that has been patched.

Examples could include the inability to connect to a file server or get security settings from the domain or login network devices such as switches and routers that use Microsoft Active Directory Domain controllers for AAA/Radius Authentication.

What Should I Do?

The critical nature of this vulnerability warrants that action be taken. Here are the four steps to take:

Assess the Situation
Review the information within this article and the resources listed below to fully understand the issue.

Identify & Plan
Identify the devices that are not compliant within your environment and develop a plan.

Address the Issues
Replace non-compliant devices or follow the Microsoft options to allow non-secure RPC.

Seek Advice
If you need any assistance, contact us and we’ll help ensure you’re covered.

Resources

DHS Emergency Directive
Mitigate Netlogon Elevation of Privilege Vulnerability from August 2020 Patch Tuesday

Microsoft Resources
How to manage the changes in Netlogon secure channel connections
Netlogon Elevation of Privilege Vulnerability

Other Resources / Overviews
Admins urged to patch Windows Server immediately to close vulnerability
Zerologon (CVE-2020-1472): Critical Active Directory Vulnerability