Microsoft Warns IT Pros on Windows Netlogon Fix Coming Next Month -- Redmondmag.com

Microsoft Warns IT Pros on Windows Netlogon Fix Coming Next Month

By Kurt Mackie
01/15/2021

Microsoft on Thursday issued a reminder to organizations to ensure that their systems are properly patched for a "Critical"-rated Windows Netlogon vulnerability before next month's "update Tuesday" patch distribution arrives.

Microsoft's February security patches will arrive on Tuesday, Feb. 9, and will bring a patch that turns on a so-called "domain controller enforcement mode" for Windows systems (namely, Windows Server 2016 and Windows Server 2019). This February patch will activate a "secure Remote ProtoCol" (RPC) that blunts the Netlogon vulnerability.

Microsoft had provided initial protection for the Netlogon vulnerability in its August patch bundle. The vulnerability is specifically described in Microsoft's CVE-2020-1472 security bulletin. However, it was also explained back then that this patch would be followed by another one in February that would activate domain controller enforcement mode. Organizations that haven't kept up to date with this patching, such as not applying August or subsequent patches, could experience connection issues with devices when the February security patch bundle arrives and gets applied.

The aim of this two-part patching sequence is to eliminate a vulnerability in the Netlogon component used with Windows Server 2016 and Windows Server 2019 that could permit an attacker to connect to a domain controller and gain administrative access privileges.

The exploit code for the Netlogon vulnerability, dubbed "Zerologon," was described as being publicly accessible back in September by the Cybersecurity and Infrastructure Security Agency (CISA), part of the U.S. Department of Homeland Security.

Patching Windows Server isn't the whole of the management task. IT pros may also have issues finding clients that still use the insecure Netlogon protocols. Microsoft offers a script, and has also given advice on using its Azure Sentinel product, to find such devices.

The February patch for the Netlogon vulnerability, while concerned with Windows Server, won't just affect Windows devices. Non-Windows devices may be using the insecure protocol, too.

"DC enforcement mode requires that all Windows and non-Windows devices use secure RPC with Netlogon secure channel unless customers have explicitly allowed the account to be vulnerable by adding an exception for the non-compliant device," Microsoft's Thursday announcement explained.

About the Author

Kurt Mackie is senior news producer for 1105 Media's Converge360 group.

Featured

Multi-Tenant Organization Hooks Released for Microsoft 365

Microsoft Entra ID's new multi-tenant organization capabilities have reached general availability (GA).
Real-World Ransomware Recovery

Here's how I was (mostly) successful in recovering a family PC infected with malware.
Microsoft Launches Small AI Models Family Phi-3

Recognizing that bigger isn't always better, Microsoft has released its smallest open AI models to date, Phi-3.
Microsoft and OpenAI Continue Global AI Expansions

Microsoft and OpenAI each continued their global expansion this month, with the announcements of new infrastructure investments and service rollouts in new regions, like Asia and the Middle East.
Cisco Warns of Brute Force Attacks Targeting VPNs and Firewalls

Cisco has revealed that a global increase in brute force attacks targeting Virtual Private Networks (VPNs) and other devices is currently taking place.