Microsoft Addressing Windows Netlogon Flaw by Turning on Enforcement Mode This Month -- Redmondmag.com

Microsoft Addressing Windows Netlogon Flaw by Turning on Enforcement Mode This Month

By Kurt Mackie
02/10/2021

The Cybersecurity and Infrastructure Security Agency (CISA) issued a reminder on Wednesday that Microsoft is implementing a "domain controller enforcement" mode this month to address a "Critical"-rated Windows Netlogon vulnerability that was initially patched back in August.

Enforcement mode will get activated via this month's "update Tuesday" patches from Microsoft. When activated, Windows and non-Windows devices will have to use a "secure Remote ProtoCol" (RPC) for connections that blunts the Netlogon vulnerability.

The vulnerability, if left unpatched, could permit an attacker to connect to a domain controller and gain administrative access privileges. CISA, part of the U.S. Department of Homeland Security, had noted back in September that exploit code was publicly available.

Microsoft apparently didn't offer a reminder this week about the enforcement mode change, although it did issue one last month. A second patch from Microsoft will turn on enforcement mode. Exactly which patch does it wasn't described.

The Netlogon fix from Microsoft is a two-stage process. In August, Microsoft had released a patch that provided initial protection, but it didn't resolve the issue. Microsoft noted back then that there would be a Phase 2 fix, ushering in enforcement mode, which would occur with the release of its Feb. 9, 2021 patches. These details are recounted in Microsoft's revised August security bulletin, CVE-2020-1472 .

That bulletin was updated on Feb. 9 (version 2.0) to explain that enforcement mode "will block vulnerable connections from non-compliant devices" unless IT pros have carved out an exception. It added that "administrators will not be able to disable or override enforcement mode."

Organizations need to have applied Microsoft's August security patches (or later ones), as well as this month's patches, for the Netlogon protections to take effect. If they haven't done so, then devices may have troubles connecting with networks using Windows Server. The connection issue affects Windows devices, as well as non-Windows ones.

Little was said by security researchers about the Netlogon enforcement mode change. Possibly, the implementation happens through a quality update from Microsoft, rather than via a security patch.

About the Author

Kurt Mackie is senior news producer for 1105 Media's Converge360 group.

Featured

Multi-Tenant Organization Hooks Released for Microsoft 365

Microsoft Entra ID's new multi-tenant organization capabilities have reached general availability (GA).
Real-World Ransomware Recovery

Here's how I was (mostly) successful in recovering a family PC infected with malware.
Microsoft Launches Small AI Models Family Phi-3

Recognizing that bigger isn't always better, Microsoft has released its smallest open AI models to date, Phi-3.
Microsoft and OpenAI Continue Global AI Expansions

Microsoft and OpenAI each continued their global expansion this month, with the announcements of new infrastructure investments and service rollouts in new regions, like Asia and the Middle East.
Cisco Warns of Brute Force Attacks Targeting VPNs and Firewalls

Cisco has revealed that a global increase in brute force attacks targeting Virtual Private Networks (VPNs) and other devices is currently taking place.