Microsoft Warns IT Pros on Windows Netlogon Fix Coming Next Month

Microsoft on Thursday issued a reminder to organizations to ensure that their systems are properly patched for a "Critical"-rated Windows Netlogon vulnerability before next month's "update Tuesday" patch distribution arrives.

Microsoft's February security patches will arrive on Tuesday, Feb. 9, and will bring a patch that turns on a so-called "domain controller enforcement mode" for Windows systems (namely, Windows Server 2016 and Windows Server 2019). This February patch will activate a "secure Remote ProtoCol" (RPC) that blunts the Netlogon vulnerability.

Microsoft had provided initial protection for the Netlogon vulnerability in its August patch bundle. The vulnerability is specifically described in Microsoft's CVE-2020-1472 security bulletin. However, it was also explained back then that this patch would be followed by another one in February that would activate domain controller enforcement mode. Organizations that haven't kept up to date with this patching, such as not applying August or subsequent patches, could experience connection issues with devices when the February security patch bundle arrives and gets applied.

The aim of this two-part patching sequence is to eliminate a vulnerability in the Netlogon component used with Windows Server 2016 and Windows Server 2019 that could permit an attacker to connect to a domain controller and gain administrative access privileges.

The exploit code for the Netlogon vulnerability, dubbed "Zerologon," was described as being publicly accessible back in September by the Cybersecurity and Infrastructure Security Agency (CISA), part of the U.S. Department of Homeland Security.

Patching Windows Server isn't the whole of the management task. IT pros may also have issues finding clients that still use the insecure Netlogon protocols. Microsoft offers a script, and has also given advice on using its Azure Sentinel product, to find such devices.

The February patch for the Netlogon vulnerability, while concerned with Windows Server, won't just affect Windows devices. Non-Windows devices may be using the insecure protocol, too.

"DC enforcement mode requires that all Windows and non-Windows devices use secure RPC with Netlogon secure channel unless customers have explicitly allowed the account to be vulnerable by adding an exception for the non-compliant device," Microsoft's Thursday announcement explained.

About the Author

Kurt Mackie is senior news producer for 1105 Media's Converge360 group.


comments powered by Disqus

Subscribe on YouTube