CVE-2020-1472 mixed os environment

Question

Hi

Due to threat of CVE-2020-1472 we've done phase 1 on our 3 domain controllers (2x win2k2012R2 1x 2019standard)
All 3 DC's are patched and ready for phase 2 9th of february

in regedit on all DC's i've changed :
HKEY_LOCAL_MACHINE \SYSTEM\CurrentControlSet\Services\Netlogon\Parameters
FullSecureChannelProtection to Value 1

and now domain controllers are in force mode. We have plenty of computer clients in our domain (windows 2000, windows xp, windows 7 and windows 10)
But when we check event viewer for event id: 5827, 5828, 5829, 5830,5831 none of events are shown.
Is it normal or am i something wrong set?

All help will be appreciated
thx

Answer 1

Hello @Gracjan Podłęcki ,

Thank you for posting here.

If there is no non-compliant user account or no non-compliant devices account to perform Netlogon secure channel connections currently, there are no these events (5827, 5828, 5829, 5830,5831) currently.

If we install updates of phase one.

For event 5829

If there is non-compliant user account or non-compliant devices account to perform Netlogon secure channel connections, event ID 5829 will be logged.

If all domain controllers are in force mode.

For event 5827 and event 5828

Non-compliant user account or non-compliant devices account that memtioned by event ID 5829 are not configured in "Domain controller: Allow vulnerable Netlogon secure channel connections" group policy, event ID 5827 and event ID 5828 will be logged.

For event 5830 and event 5831

Non-compliant user account or non-compliant devices account that memtioned by event ID 5829 are configured in "Domain controller: Allow vulnerable Netlogon secure channel connections" group policy, event ID 5830 and event ID 5831 will be logged.

Hope the information above is helpful. If anything is unclear, please feel free to let us know.

Best Regards,
Daisy Zhou