News

Microsoft Proposes Azure Sentinel Solution for Finding Vulnerable Netlogon Clients

Microsoft engineers outlined a way to find vulnerable Netlogon channel connections for organizations using newer Windows Server systems.

These connections will get blocked in February if Netlogon clients aren't upgraded beforehand. The details are described in a Thursday announcement by Jon Shectman, a Microsoft Premier field engineer specializing in security issues and fellow security Premier Field Engineer Brian Delaney. This Netlogon security issue affects organizations running Windows Server 2019 or Windows Server 2016.

Microsoft's solution for finding vulnerable Netlogon connections depends on using Azure Sentinel, which is Microsoft's cloud-based security information event management (SIEM) solution. Azure Sentinel pricing has a pay-for-use model, based on the capacity processed per day, although there's a free trial, per Microsoft's pricing page.

Netlogon is used for "user and machine authentication on domain-based networks," per Microsoft's definition, but it has a security vulnerability associated with Windows Server 2019 or Windows Server 2016 systems that was described earlier this month during "update Tuesday," which is Microsoft monthly security patch release event.

On Aug. 11 (update Tuesday), Microsoft kicked off a two-phase patch process for Netlogon in those servers to address a "Critical"-rated elevation-of-privilege vulnerability (CVE-2020-1472). Microsoft's Aug. 11 patch provided initial protection, but Microsoft plans to deliver another patch in February that will activate a "secure Remote ProtoCol (RPC)."

Organizations running Windows Server 2019 or Windows Server 2016 will need to have updated their Netlogon clients before that time to avoid an issue where devices will get denied access. It turns out that the patch activating secure RPC will arrive on Feb. 9, 2021 (update Tuesday for that month), which is billed as the "enforcement" date by Microsoft.

Microsoft's solution to finding Netlogon clients that need updating before the Feb. 9, 2021 enforcement date is to use the Insecure Protocols Workbook in Azure Sentinel, as outlined in the announcement.

"Once you know where to look, you'll need to upgrade all Netlogon clients," Microsoft's announcement indicated, without explaining how to do the upgrading. It's still possible to get thrown by insecure connections with "Realm trusts," though, which "may require more planning to remediate," the announcement added.

Possibly, Microsoft will ease the detection process somewhat when using the Insecure Protocols Workbook by updating it with the associated Netlogon event IDs. At least, that idea was thought to be a good one by Shectman in this Twitter exchange.

About the Author

Kurt Mackie is senior news producer for 1105 Media's Converge360 group.

Featured

  • Salesforce Buying Slack for $27 Billion To Bolster CRM Solution

    Salesforce on Tuesday announced the purchase of collaboration software-maker Slack for an estimated $27.7 billion.

  • Dark City Illustration

    The Night the Lights Went Out in the Cloud: Lessons from the AWS Outage

    Last week's AWS outage that broke the Internet showed how critical it is to build applications that can withstand transient failure. Here's what you need to know to design a resilient cloud app (and it doesn't involve multicloud).

  • 5 Steps To Fix Windows Indexing Problems

    The Windows indexing feature doesn't always deliver the correct results of a file search. Here are five troubleshooting steps you can take whenever Windows indexing acts up.

  • Microsoft Adding Simpler Microsoft 365 Admin Center Option for Small Businesses

    The Microsoft 365 Admin Center, used for setting up and managing various Microsoft services, is getting a more lightweight interface designed for "very small businesses," according to a Tuesday Microsoft announcement.

comments powered by Disqus