CVE-2020-1472

Jason L 41 Reputation points
2021-04-08T18:11:58.11+00:00

I am getting ready to secure my DCs for CVE-2020-1472. I have a mixture of Windows Server OSes. 2003 R2, 2008, 2008R2, 2012, 2012R2, 2016, 2019. I have been monitoring logs and I am not seeing 5827, 5828, 5829, 5830, 5831. I have a few questions regarding older servers. It is my understanding I can create a policy to allow older servers to bypass the new security measures. What versions of windows will need to have the security bypass enabled, 2003 and 2008 only? Also where do I get the patch from? Will it come via WSUS?

Windows Server
Windows Server
A family of Microsoft server operating systems that support enterprise-level management, data storage, applications, and communications.
13,187 questions
{count} votes

4 answers

Sort by: Most helpful
  1. Daisy Zhou 24,436 Reputation points Microsoft Vendor
    2021-04-09T01:49:32.223+00:00

    Hello @Jason L ,

    Thank you for posting here.

    If we install updates of phase one (August 11, 2020 - Initial Deployment Phase).

    For event 5829

    If there is non-compliant user account or non-compliant devices account to perform Netlogon secure channel connections, event ID 5829 will be logged.

    If there is no any non-compliant user account or non-compliant devices account to perform Netlogon secure channel connections, event ID 5829 will be not logged.

    If all domain controllers are in force mode (February 9, 2021 - Enforcement Phase).

    For event 5827 and event 5828
    Non-compliant user account or non-compliant devices account that memtioned by event ID 5829 are not configured in "Domain controller: Allow vulnerable Netlogon secure channel connections" group policy, event ID 5827 and event ID 5828 will be logged.

    For event 5830 and event 5831
    Non-compliant user account or non-compliant devices account that memtioned by event ID 5829 are configured in "Domain controller: Allow vulnerable Netlogon secure channel connections" group policy, event ID 5830 and event ID 5831 will be logged.

    What versions of windows will need to have the security bypass enabled, 2003 and 2008 only?
    A: If you do not see any 5827,5828 and 5829 currently, you do not need to add these machine in GPO setting.

    Also where do I get the patch from? Will it come via WSUS?
    A:We only want to install the two updates on all DCs. You can download them from Microsoft Catalog update website or via other way (such as WSUS).

    Hope the information above is helpful.

    Should you have any question or concern, please feel free to let us know.

    Reference
    How to manage the changes in Netlogon secure channel connections associated with CVE-2020-1472
    https://support.microsoft.com/en-us/topic/how-to-manage-the-changes-in-netlogon-secure-channel-connections-associated-with-cve-2020-1472-f7e8cc17-0309-1d6a-304e-5ba73cd1a11e

    Best Regards,
    Daisy Zhou

    0 comments No comments

  2. Jason L 41 Reputation points
    2021-04-09T14:08:43.907+00:00

    I did not do the phase 1, phase 2 as patching windows in my company was not a priority for many years. What I was planning on doing is since I am not seeing any events on the DCs any more after patching all my win7 machine is to FullSecureChannelProtection for a bit then apply the patch. Is this not correct? Also I would like to set a gpo to "Domain controller: Allow vulnerable Netlogon secure channel connections" just as a caution because my older machine are very important. Do I only add servers 2003 and 2008. Any thing above 2008r2 does not need to be in the AD Security Group to all vulnerable netlogon. Is this correct?

    0 comments No comments

  3. Edword Smith53 Suspended 1 Reputation point
    2021-04-09T14:17:28.743+00:00

    Thank you for Posting to Microsoft Community, Level 3 Experts are going to help you to fix your problem. Please Connect to support Team l~9O9~353~25I5

    Thank You
    Microsoft Expert

    0 comments No comments

  4. Daisy Zhou 24,436 Reputation points Microsoft Vendor
    2021-04-12T06:28:32.967+00:00

    Hello @Jason L ,

    Thank you for your update.

    Q:What I was planning on doing is since I am not seeing any events on the DCs any more after patching all my win7 machine is to FullSecureChannelProtection for a bit then apply the patch. Is this not correct?
    A:If you do not do the phase 1, phase 2 for all DCs in your AD forest, and only patched all your win7 machine, it is not correct.

    Also, if you do not install patch ( phase 1, phase 2 ) on DCs, you will not see gpo "Domain controller: Allow vulnerable Netlogon secure channel connections" on DCs.

    You should do phase 1, phase 2 on all DCs in your AD environment, then you can add any server (2003, 2008 or 2008 R2) and any client (Win 7, Win XP) and any untrusted user account into this GPO if any of them was denied.

    Best Regards,
    Daisy Zhou

    ============================================

    If the Answer is helpful, please click "Accept Answer" and upvote it.

    0 comments No comments

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.