CVE-2020-1472 Netlogon Secure clarifications

Arun Bhavnani 1 Reputation point
2020-11-24T21:03:01.47+00:00

Hi,

Unfortunately, our environment is a mix bag of Windows 7, 8 , 8.1 and 10 systems. Ever since we have updated the Aug patch, we are observing number of events for 5827, 5828 and 5829. Request if below can be clarified:

  1. Are the events 5827 and 5828 being generated for the outdated versions of the system i.e. Win 7, 8 and 8.1. Also whether monitoring of these events is required or just monitoring for 5829?
  2. How can we configure these Operating systems to prevent such deny connection from DC.
    1. Post Feb upgrade, will these devices be not able to connect to DC even though the above settings have been applied

Regards
Arun

Windows 10
Windows 10
A Microsoft operating system that runs on personal computers and tablets.
10,584 questions
Windows
Windows
A family of Microsoft operating systems that run across personal computers, tablets, laptops, phones, internet of things devices, self-contained mixed reality headsets, large collaboration screens, and other devices.
4,726 questions
Active Directory
Active Directory
A set of directory-based technologies included in Windows Server.
5,824 questions
Windows Server Security
Windows Server Security
Windows Server: A family of Microsoft server operating systems that support enterprise-level management, data storage, applications, and communications.Security: The precautions taken to guard against crime, attack, sabotage, espionage, or another threat.
1,718 questions
0 comments No comments
{count} votes

5 answers

Sort by: Most helpful
  1. Dave Patrick 426K Reputation points MVP
    2020-11-24T21:16:25.127+00:00

    You can test from the client end
    Test-ComputerSecureChannel
    https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.management/test-computersecurechannel?view=powershell-5.1

    You can put them in an OU, then add the OU here on each domain controller.
    https://support.microsoft.com/en-us/help/4557222/how-to-manage-the-changes-in-netlogon-secure-channel-connections-assoc#theGroupPolicy

    42351-image.png

    --please don't forget to Accept as answer if the reply is helpful--

    0 comments No comments

  2. Arun Bhavnani 1 Reputation point
    2020-11-25T19:51:10.277+00:00

    Thanks Patrick, however is there any other way to mitigate or lower the RISK rather than create a OU.

    Also, there as per the article the secure channel will be enforced irrespective of the bit in registry. In such a case, having an separate OU will work?

    Regards
    Arun

    0 comments No comments

  3. Dave Patrick 426K Reputation points MVP
    2020-11-25T19:53:52.763+00:00

    The desktop operating systems Windows 8 and higher you mentioned should support secure channel. I'd check they're patched fully. Then use
    Test-ComputerSecureChannel
    https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.management/test-computersecurechannel?view=powershell-5.1
    to confirm.

    For any that are non-compliant you'll need to explicitly allow by adding an exception for the non-compliant device

    --please don't forget to Accept as answer if the reply is helpful--

    0 comments No comments

  4. Vicky Wang 2,646 Reputation points
    2020-11-26T02:45:08.763+00:00

    To learn more about the vulnerability, see CVE-2020-1472.

    Take Action

    To protect your environment and prevent outages, you must do the following:

    UPDATE your Domain Controllers with an update released August 11, 2020 or later.
    FIND which devices are making vulnerable connections by monitoring event logs.
    ADDRESS non-compliant devices making vulnerable connections.
    ENABLE enforcement mode to address CVE-2020-1472 in your environment.
    Note Step 1 of installing updates released August 11, 2020 or later will address security issue in CVE-2020-1472 for Active Directory domains and trusts, as well as Windows devices. To fully mitigate the security issue for third-party devices, you will need to complete all the steps.

    Warning Starting February 2021, enforcement mode will be enabled on all Windows Domain Controllers and will block vulnerable connections from non-compliant devices. At that time, you will not be able to disable enforcement mode.

    reference:https://support.microsoft.com/en-us/help/4557222/how-to-manage-the-changes-in-netlogon-secure-channel-connections-assoc

    Hope this information can help you
    Best wishes
    Vicky

    0 comments No comments

  5. Axel Rouy 1 Reputation point
    2020-12-08T15:01:21.16+00:00

    Hi ,

    I have some question about this patch
    My customer did the august patch on their 90 000 devices and DC but on their 90 000 , 1000 of these devices have not the following registry key : FullSecureChannelProtection
    Why ? after some explaination it seems this registry key is not mandatory (but mu question, the registry key is set automatically after the august patch ?

    I'm sorry if it's not clear..
    Thanks

    0 comments No comments