CVE-2020-1472 mixed os environment

Gracjan Podłęcki 61 Reputation points
2021-02-05T14:21:19.057+00:00

Hi

Due to threat of CVE-2020-1472 we've done phase 1 on our 3 domain controllers (2x win2k2012R2 1x 2019standard)
All 3 DC's are patched and ready for phase 2 9th of february

in regedit on all DC's i've changed :
HKEY_LOCAL_MACHINE \SYSTEM\CurrentControlSet\Services\Netlogon\Parameters
FullSecureChannelProtection to Value 1

and now domain controllers are in force mode. We have plenty of computer clients in our domain (windows 2000, windows xp, windows 7 and windows 10)
But when we check event viewer for event id: 5827, 5828, 5829, 5830,5831 none of events are shown.
Is it normal or am i something wrong set?

All help will be appreciated
thx

Windows Server
Windows Server
A family of Microsoft server operating systems that support enterprise-level management, data storage, applications, and communications.
12,238 questions
{count} votes

Accepted answer
  1. Daisy Zhou 18,956 Reputation points Microsoft Vendor
    2021-02-08T03:28:17.087+00:00

    Hello @Gracjan Podłęcki ,

    Thank you for posting here.

    If there is no non-compliant user account or no non-compliant devices account to perform Netlogon secure channel connections currently, there are no these events (5827, 5828, 5829, 5830,5831) currently.

    If we install updates of phase one.

    For event 5829

    If there is non-compliant user account or non-compliant devices account to perform Netlogon secure channel connections, event ID 5829 will be logged.

    If all domain controllers are in force mode.

    For event 5827 and event 5828

    Non-compliant user account or non-compliant devices account that memtioned by event ID 5829 are not configured in "Domain controller: Allow vulnerable Netlogon secure channel connections" group policy, event ID 5827 and event ID 5828 will be logged.

    For event 5830 and event 5831

    Non-compliant user account or non-compliant devices account that memtioned by event ID 5829 are configured in "Domain controller: Allow vulnerable Netlogon secure channel connections" group policy, event ID 5830 and event ID 5831 will be logged.

    Hope the information above is helpful. If anything is unclear, please feel free to let us know.

    Best Regards,
    Daisy Zhou

    0 comments No comments

0 additional answers

Sort by: Most helpful