Zerologon EventID 5827 false-positive?

Tran Minh Tien 21 Reputation points
2020-12-16T06:08:58.47+00:00

Hi mates,

I have a lot of DC patched Sep 2020 patch to monitor events related to Zerologon. My graylog showed PCs got the EventID 5827 and I updated for those PCs and enabled 3 policies:

-Domain member: Digitally encrypt or sign secure channel data (always)

-Domain member: Digitally encrypt secure channel data (when possible)

-Domain member: Digitally sign secure channel data (when possible)

as Microsoft's instruction. But those PCs still logged on graylog with EventID "5827 The Netlogon service denied a vulnerable Netlogon secure channel connection from a machine account." and make lots of confuse to my team if everything work fine.

Could you please explain for me about those cases when we enabled the policies but still got the alerts?

Thanks & Regards

Windows
Windows
A family of Microsoft operating systems that run across personal computers, tablets, laptops, phones, internet of things devices, self-contained mixed reality headsets, large collaboration screens, and other devices.
4,735 questions
Windows Server Security
Windows Server Security
Windows Server: A family of Microsoft server operating systems that support enterprise-level management, data storage, applications, and communications.Security: The precautions taken to guard against crime, attack, sabotage, espionage, or another threat.
1,721 questions
0 comments No comments
{count} votes

Accepted answer
  1. Hannah Xiong 6,231 Reputation points
    2020-12-16T07:56:29.14+00:00

    Hello,

    Thank you so much for posting here.

    Deploy the August 11th updates to all applicable domain controllers (DCs) in the forest, including read-only domain controllers (RODCs). After deploying this update patched DCs will:

    Log event IDs 5827 and 5828 in the System event log, if connections are denied.

    By default, supported versions of Windows that have been fully updated should not be using vulnerable Netlogon secure channel connections. If an event ID 5827 is logged in the system event log for a Windows device:

    1.Confirm that the device is running a supported versions of Windows.
    2.Ensure the device is fully updated from Windows Update.
    3.Check to ensure that Domain member: Digitally encrypt or sign secure channel data (always) is set to Enabled in a GPO linked to the OU for all your DCs, such as the default domain controllers GPO.

    Reference: https://support.microsoft.com/en-us/help/4557222/how-to-manage-the-changes-in-netlogon-secure-channel-connections-assoc

    For any question, please feel free to contact us.

    Best regards,
    Hannah Xiong

    ============================================

    If the Answer is helpful, please click "Accept Answer" and upvote it.
    Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.

    0 comments No comments

2 additional answers

Sort by: Most helpful
  1. Tran Minh Tien 21 Reputation points
    2020-12-17T06:19:06.173+00:00

    Thanks for your answer.

    0 comments No comments

  2. Tran Minh Tien 21 Reputation points
    2020-12-28T06:43:47.203+00:00

    Hi Hannah Xiong,

    After we deploy the GPO and appy to all OU, we still got the Event ID 5827 from some devices. Could we have any other explaination?

    Thanks & Regards