Questions regarding CVE-2020-1472 and upcoming enforcement

Matt McQuarrie 21 Reputation points
2021-02-04T17:01:05.017+00:00

We have a company that we are taking over all IT operations, I have already prepped my current DC with this patch with no issue. However in this new company they have Server 2008r2(Primary DC) and a Server 2008 Standard(Secondary DC) Domain Controllers. Since 2008 standard is not compatible with this update, what happens if I apply it to the 2008r2 only? Will vulnerable connections still be denied since its secondary or? Will anything potentially "break" since I can only apply it to the 2008r2 server?

Windows Server
Windows Server
A family of Microsoft server operating systems that support enterprise-level management, data storage, applications, and communications.
13,361 questions
Windows Server Security
Windows Server Security
Windows Server: A family of Microsoft server operating systems that support enterprise-level management, data storage, applications, and communications.Security: The precautions taken to guard against crime, attack, sabotage, espionage, or another threat.
1,865 questions
{count} votes

Accepted answer
  1. Fan Fan 15,356 Reputation points Microsoft Vendor
    2021-02-05T06:23:02.06+00:00

    Hi,

    To provide AD forest protection, all DCs, must be updated since they will enforce secure RPC with Netlogon secure channel. This includes read-only domain controllers (RODC).

    If a non-compliant DC cannot support secure RPC with Netlogon secure channel before the DCs are in enforcement mode, we have to add the DC using the "Domain controller: Allow vulnerable Netlogon secure channel connections" group policy.
    Allowing DCs to use vulnerable connections by the group policy will make the forest vulnerable to attack. The end goal should be to address and remove all accounts from the group policy.

    So it would be a better idea to upgrade the old DC which can't cannot support secure RPC with Netlogon secure channel.
    For your reference:https://support.microsoft.com/en-us/topic/how-to-manage-the-changes-in-netlogon-secure-channel-connections-associated-with-cve-2020-1472-f7e8cc17-0309-1d6a-304e-5ba73cd1a11e

    Best Regards,

    0 comments No comments

0 additional answers

Sort by: Most helpful

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.