• Insights

Netlogon Secure Channel Enforcement

Jeff Silverman

2 min read

All Insights

In response to a vulnerability alert from Microsoft, we are sharing the following advisory.

Customers must take action to:

a) ensure that all vulnerable systems (i.e. unsupported Windows systems including Windows 7, 2008, etc. as well as any 3rd party devices that do not support secure Netlogon) have been removed from the network before applying the February 9, 2021 update to domain controllers; or
b) configure exceptions for vulnerable systems via Group Policy per this article.

Microsoft is in the process of issuing updates to ensure that domain-joined machines use secure RPC to communicate with domain controllers. The updates are in two phases:

August 11, 2020 – Initial Deployment Phase

The initial deployment phase starts with the updates released on August 11, 2020 and continues with later updates until the Enforcement phase. These and later updates make changes to the Netlogon protocol to protect Windows devices by default, logs events for non-compliant device discovery and adds the ability to enable protection for all domain-joined devices with explicit exceptions. This release:

  • Enforces secure RPC usage for machine accounts on Windows based devices.
  • Enforces secure RPC usage for trust accounts.
  • Enforces secure RPC usage for all Windows and non-Windows DCs.
  • Includes a new group policy to allow non-compliant device accounts (those that use vulnerable Netlogon secure channel connections). Even when DCs are running in enforcement mode or after the Enforcement phase starts, allowed devices will not be refused connection.
  • FullSecureChannelProtection registry key to enable DC enforcement mode for all machine accounts (enforcement phase will update DCs to DC enforcement mode).
  • Includes new events when accounts are denied or would be denied in the DC enforcement mode (and will continue in the Enforcement phase).

Mitigation consists of installing the update on all DCs and RODCs, monitoring for new events, and addressing non-compliant devices that are using vulnerable Netlogon secure channel connections. Machine accounts on non-compliant devices can be allowed to use vulnerable Netlogon secure channel connections; however, they should be updated to support secure RPC for Netlogon and the account enforced as soon as possible to remove the risk of attack.

February 9, 2021 – Enforcement Phase

The February 9, 2021 release marks the transition into the enforcement phase. The DCs will now be in enforcement mode regardless of the enforcement mode registry key.  This requires all Windows and non-Windows devices to use secure RPC with Netlogon secure channel or explicitly allow the account by adding an exception for the non-compliant device. This release:

  • Enforces secure RPC usage for machine accounts on non-Windows based devices unless allowed by “Domain controller: Allow vulnerable Netlogon secure channel connections” group policy.
  • Logging of Event ID 5829 will be removed.  Since all vulnerable connections are denied, you will now only see event IDs 5827 and 5828 in the System event log.

Reference – How to manage the changes in Netlogon secure channel connections associated with CVE-2020-1472

Please contact our team if you would like assistance.

Security Operations Center