Confusion regarding Event ID: 5829

Mittal, Varun 1 Reputation point
2020-09-30T15:49:26.34+00:00

Hi

I have been referring to the CVE-1472 advisory

And am now a bit confused about the Event ID: 5829 in the initial deployment phase.
The article says that in the initial deployment phase, the default policy would be to deny vulnerable netlogon secure channels, unless the machines are added to group policy.

So I would expect events 5827 and 5828
And if the group policy is allowing vulnerable connections, I would expect events 5830 and 5831

Then in what case would I see events 5829. Is that only for non-windows based systems ?

Active Directory
Active Directory
A set of directory-based technologies included in Windows Server.
6,713 questions
0 comments No comments
{count} votes

6 answers

Sort by: Most helpful
  1. Anonymous
    2020-09-30T16:35:00.067+00:00

    Then in what case would I see events 5829. Is that only for non-windows based systems ?

    Event ID 5829 is generated when a vulnerable connection is allowed during the initial deployment phase.
    You can test from the client end from PowerShell
    Test-ComputerSecureChannel

    https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.management/test-computersecurechannel?view=powershell-5.1

    --please don't forget to Accept as answer if the reply is helpful--


  2. Anonymous
    2020-09-30T18:10:41.913+00:00

    During the Initial Deployment Phase

    • Begin enforcing secure RPC usage for all Windows-based device accounts, trust accounts and all DCs.
    • Log event IDs 5827 and 5828 in the System event log, if connections are denied.
    • Log event IDs 5830 and 5831 in the System event log, if connections are allowed by "Domain controller: Allow vulnerable Netlogon secure channel connections" group policy.
    • Log event ID 5829 in the System event log whenever a vulnerable Netlogon secure channel connection is allowed. These events should be addressed before the DC enforcement mode is configured or before the enforcement phase starts on February 9, 2021.

    --please don't forget to Accept as answer if the reply is helpful--


  3. Anonymous
    2020-09-30T19:53:33.103+00:00

    Begin enforcing secure RPC usage for all Windows-based device accounts, trust accounts and all DCs so unsecure connections would be denied unless you added to the policy "Domain controller: Allow vulnerable Netlogon secure channel connections"

    From cmd.exe run gpedit.msc then navigate to;

    29542-image.png

    --please don't forget to Accept as answer if the reply is helpful--


  4. Anonymous
    2020-10-01T12:35:24.38+00:00

    You'll see event ID 5829 in the System event log whenever a vulnerable Netlogon secure channel connection is allowed via the policy above.

    --please don't forget to Accept as answer if the reply is helpful--


  5. Anonymous
    2020-10-03T12:53:05.91+00:00

    Might read through the FAQ in this document.
    https://support.microsoft.com/en-us/help/4557222/how-to-manage-the-changes-in-netlogon-secure-channel-connections-assoc

    --please don't forget to Accept as answer if the reply is helpful--


Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.