Microsoft Addressing Windows Netlogon Flaw by Turning on Enforcement Mode This Month
The Cybersecurity and Infrastructure Security Agency (CISA) issued a reminder on Wednesday that Microsoft is implementing a "domain controller enforcement" mode this month to address a "Critical"-rated Windows Netlogon vulnerability that was initially patched back in August.
Enforcement mode will get activated via this month's "update Tuesday" patches from Microsoft. When activated, Windows and non-Windows devices will have to use a "secure Remote ProtoCol" (RPC) for connections that blunts the Netlogon vulnerability.
The vulnerability, if left unpatched, could permit an attacker to connect to a domain controller and gain administrative access privileges. CISA, part of the U.S. Department of Homeland Security, had noted back in September that exploit code was publicly available.
Microsoft apparently didn't offer a reminder this week about the enforcement mode change, although it did issue one last month. A second patch from Microsoft will turn on enforcement mode. Exactly which patch does it wasn't described.
The Netlogon fix from Microsoft is a two-stage process. In August, Microsoft had released a patch that provided initial protection, but it didn't resolve the issue. Microsoft noted back then that there would be a Phase 2 fix, ushering in enforcement mode, which would occur with the release of its Feb. 9, 2021 patches. These details are recounted in Microsoft's revised August security bulletin, CVE-2020-1472 .
That bulletin was updated on Feb. 9 (version 2.0) to explain that enforcement mode "will block vulnerable connections from non-compliant devices" unless IT pros have carved out an exception. It added that "administrators will not be able to disable or override enforcement mode."
Organizations need to have applied Microsoft's August security patches (or later ones), as well as this month's patches, for the Netlogon protections to take effect. If they haven't done so, then devices may have troubles connecting with networks using Windows Server. The connection issue affects Windows devices, as well as non-Windows ones.
Little was said by security researchers about the Netlogon enforcement mode change. Possibly, the implementation happens through a quality update from Microsoft, rather than via a security patch.
Kurt Mackie is senior news producer for 1105 Media's Converge360 group.