Netlogon Secure Channel CVE-2020-1472 Clarification Needed

Question

Netlogon Secure Channel CVE-2020-1472 Clarification Needed

Jason Leidy 91

Regarding the August 11th patch that addresses CVE-2020-1472: After reading through the article below I am not clear on whether access will be denied for certain clients or if this patch is just adding event monitoring only and Feb 2021 update is for enforcement?

https://support.microsoft.com/en-us/help/4557222/how-to-manage-the-changes-in-netlogon-secure-channel-connections-assoc

Jason

Anonymous

2020-09-03T07:48:56.093+00:00

Hello @Jason Leidy ,

How are things going on your end? Please keep me posted on this issue.
If you have any further questions or concerns about this question, please let us know.
I appreciate your time and efforts.

Best Regards,
Daisy Zhou
Jason Leidy 21 Reputation points

2020-09-09T17:13:06.48+00:00

A1:We only need to install the August patch on all DCs in the forest.
Actually, the fix is in a patch (KB4571694) that gets installed on all machines. So, you can't just install it on your Domain Controllers.
Aaron Margosis 26 Reputation points

2020-10-01T03:05:52.16+00:00

The vulnerability exists only on DCs.

6 answers

Your answer

Anonymous

2020-09-03T07:48:56.093+00:00

Hello @Jason Leidy ,

How are things going on your end? Please keep me posted on this issue.
If you have any further questions or concerns about this question, please let us know.
I appreciate your time and efforts.

Best Regards,
Daisy Zhou
Jason Leidy 21 Reputation points

2020-09-09T17:13:06.48+00:00

A1:We only need to install the August patch on all DCs in the forest.
Actually, the fix is in a patch (KB4571694) that gets installed on all machines. So, you can't just install it on your Domain Controllers.
Aaron Margosis 26 Reputation points

2020-10-01T03:05:52.16+00:00

The vulnerability exists only on DCs.

Answer 1

Anonymous

Hello @Jason Leidy ,

Thank you for posting here.

After reading several times , here are the answers for your references.

Q1:What happens when I install the August patch on all of my clients (all Windows 10 1909) and servers.
A1:We only need to install the August patch on all DCs in the forest.

All will happen below after you install the August patch on all DCs in the forest.

1.After deploying the August 11th updates to all DCs (including Windows DCs (including read-only domain controllers) and non-Windows DCs) in the forest.

2.By default, supported versions of Windows that have been fully updated should not be using vulnerable Netlogon secure channel connections.

3.Detecting non-compliant devices using event ID 5829.

3-1 Monitor patched DCs for event ID 5829 events.
3-2 The event ID 5829 determines which devices in your environment are using vulnerable Netlogon secure channel connections (referred to as non-compliant devices in that article).
3-3 The events will include relevant information for identifying the non-compliant devices.

4.To find non-compliant devices (A non-compliant device is one that uses a vulnerable Netlogon secure channel connection.) in advanve from event ID 5829 on all DCs before we install February 9, 2021 updates.

4-1 Deploying the August 11th updates to all DCs
4-2 Monitor patched DCs for event ID 5829 events. Event ID 5829 is generated when a vulnerable connection is allowed during the initial deployment phase.
4-3 To resolve the vulnerable Netlogon secure channel connections(enforce secure RPC when using the Netlogon secure channel ), move to enforcement mode in advance of the February 2021 enforcement phase

Method 1
Set Registry on all DCs.
Registry subkey: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Netlogon\Parameters
Value: FullSecureChannelProtection
Data type: REG_DWORD
Value:1 – This enables enforcement mode.
DCs will deny vulnerable Netlogon secure channel connections unless the account is allowed by the Create Vulnerable Connection list in the "Domain controller: Allow vulnerable Netlogon secure channel connections" group policy.

Method 2
Wait for February 9, 2021 updates

Q2:Non-compliant machines won't be able to get logged on?
A2:If we only install August 11, 2020 updates, non-compliant machines will be able to get logged on. Event ID 5829 is generated when a vulnerable connection is allowed during the initial deployment phase. These connections will be denied when DCs are in enforcement mode.

Q3:I don't know which devices are non-compliant (not using secure RPC when using the Netlogon secure channel).
A3:To find non-compliant devices in advanve after August 11, 2020 updates before we install February 9, 2021 updates.

1 Deploying the August 11th updates to all DCs.
2 Monitor patched DCs for event ID 5829.

Q4:How is that different than what the February update does.
A4:
August 11, 2020 updates - Initial Deployment Phase
We can find non-compliant machines in advance from event ID 5829 on all DCs before we install February 9, 2021 updates.

February 9, 2021 updates - Enforcement Phase (make FullSecureChannelProtection=1 on all DCs forcely)

If we actually find some non-compliant devices and we want "the Netlogon service allow vulnerable Netlogon secure channel connection from a machine account", we should set "Domain controller: Allow vulnerable Netlogon secure channel connections" group policy for Domain Controllers.

Domain controller: Allow vulnerable Netlogon secure channel connections ==> Allow: The domain controller will allow the specified group/accounts to use a Netlogon secure channel without secure RPC.

After that, we may receive Event ID 5830 and Event ID 5831.

Event ID 5830 will be logged when a vulnerable Netlogon secure channel machine account connection is allowed by "Domain controller: Allow vulnerable Netlogon secure channel connections" group policy.

Event ID 5831 will be logged when a vulnerable Netlogon secure channel trust account connection is allowed by "Domain controller: Allow vulnerable Netlogon secure channel connections" group policy.

Otherwise, we actually find some non-compliant devices, and we want "the Netlogon service deny vulnerable Netlogon secure channel connection from a machine account" and we does not set "Domain controller: Allow vulnerable Netlogon secure channel connections" group policy for Domain Controllers, we may receive Event ID 5827 and Event ID 5828.

Event ID 5827 will be logged when a vulnerable Netlogon secure channel connection from a machine account is denied.
Event ID 5828 will be logged when a vulnerable Netlogon secure channel connection from a trust account is denied.

Hope the information above is helpful. If anything is unclear, please feel free to let un know.

Best Regards,
Daisy Zhou

Ottavio Romano 1 Reputation point

2020-09-28T15:34:33.553+00:00

I complete disagree with point "3.Detecting non-compliant devices using event ID 5829." in your explanation. After installed the patch we don't see any 5829 event. Instead we see directly 5827 event "The Netlogon service denied a vulnerable Netlogon secure channel connection from a machine account." We have user unable to connect to shared folders, so the deny is effectively in place. Something is wrong in this patch. We didn't expect disservice in this phase, but only in Enforcement Phase (anticipated or not with registry key enablement).
Susan Bradley 96 Reputation points MVP

2020-09-28T16:18:43.953+00:00

I'm not seeing this reported by most others, so I honestly think there is some thing unique in your environment. Are you connecting to a Linux based NAS? What's the setup? Can you review your other group policy settings? What exact server or system is throwing off the 5827?
David Davis 6 Reputation points

2020-09-28T19:15:09.96+00:00

I experienced a similar issue once installing the patch at a small site. The DC immediately began denying connections with 5827 events. It appears to be enforcing instead of just monitoring/logging.
Susan Bradley 96 Reputation points MVP

2020-09-28T23:45:00.55+00:00

https://support.microsoft.com/en-us/help/4557222/how-to-manage-the-changes-in-netlogon-secure-channel-connections-assoc Do you have any non windows domain controllers? see "If a non-compliant DC cannot support secure RPC with Netlogon secure channel before the DCs are in enforcement mode, add the DC using the "Domain controller: Allow vulnerable Netlogon secure channel connections" group policy described below."
David Davis 6 Reputation points

2020-09-29T14:11:26.267+00:00

We do not have any non-windows domain controllers. Based on my reading/understanding of the documentation, enforcement begins after installing the Aug 11 update:

https://support.microsoft.com/en-us/help/4557222/how-to-manage-the-changes-in-netlogon-secure-channel-connections-assoc

Deploy August 11, 2020 updates
"After deploying this update patched DCs will:

Begin enforcing secure RPC usage for all Windows-based device accounts, trust accounts and all DCs.

Log event IDs 5827 and 5828 in the System event log, if connections are denied."
Aaron Margosis 26 Reputation points

2020-10-01T03:17:16.847+00:00

The KB is not clear on these details unless you read and reread the entire (updated) KB several times:

The August patch blocks all non-compliant Windows devices and non-Windows DCs, unless exceptions are created for them via the new GPO.
The August patch blocks non-compliant non-Windows (non-DC) devices only if the FullSecureChannelProtection registry value is set to 1.
The February patch will block all non-compliant devices unless exceptions are created for them via the new GPO.

Hope this helps.

Aaron Margosis (Tanium)
jennylee 86 Reputation points

2020-10-01T18:52:32.383+00:00

This update broke our trust. We have a mix of server 2016 and 2012r2 DC. All are updated although I'm not seeing that update on the 2012r2's and when I go to the website to download, the page is not working. No matter what I do, I cannot rebuild the trust, so this patch definitely broke something....would this have anythign to do with having 2012 R2 DC in the mix?
DonPick 1,266 Reputation points

2020-10-02T23:50:12.173+00:00

@jennylee
as per https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1472

for WS2012R2 the update is:
https://www.catalog.update.microsoft.com/Search.aspx?q=KB4571703 (monthly rollup)
or
https://www.catalog.update.microsoft.com/Search.aspx?q=KB4571723 (security only)
(edit: apparently the catalog service was down yesterday but it's back online now :)

these are appearing fine for me in MS catalog.
note that these updates introduce the new behaviour (block non-compliant Windows machines)
so you should check all the involved DCs in all relevant domains/forests for the trust.
check event logs on all DCs involved and look for events 5828 etc
jennylee 86 Reputation points

2020-10-05T17:48:30.357+00:00

The server 2012r2 link you sent seems to work and the KB4571723 is now installed. However server 2016 standard said KB4571694 was installed with updates, , but its nowhere to be found. When I download the patch from the same site, it says :Windows update Standalone installer, the update is not applicable to your computer" when I try to install it. . I assume it has something to do with what version it is. 10.0.14393 Build 14393 server 2016 standard x64?
Susan Bradley 6 Reputation points

2020-10-05T18:07:49.977+00:00

Have you already installed the September updates on that server? If https://support.microsoft.com/en-us/help/4577015 is installed on that server than you have the August updates in there as well.
jennylee 86 Reputation points

2020-10-05T20:08:28.34+00:00

Oh I see those Sept updates seem to have stuck as I see them in the Windows Server 2016. So if I see this KB4577015Security Update then I can be assured it has the proper patc. I have all the win 2012r2 updated. Still can't create a forest wide trust, it says the security database on the server does not have a computer account for this workstation trust relationship. Ugh. Thanks for helping with the updates though
jennylee 86 Reputation points

2020-10-16T16:48:17.74+00:00

Still cannot get the Trust to work that worked fine before the August Update. All the Domain controllers have the September updates and I manually put KB4571723 on any Server 2012R2 DC. Still getting "Windows cannot verify the trust. If the inter-domain trust is not functioning properly , Try resetting the trust password again. Which does not work. Anyone have any ideas. I started uninstalling the udpate on the 1 DC in the Domain we are trying to trust, but it was not happy.
Thanks for any advice
Susan Bradley 96 Reputation points MVP

2020-11-03T00:11:17.833+00:00

Do you have access to support? If not, holler and I can open a support case on your behalf (apologies for not responding sooner as I didn't see this response)
jennylee 86 Reputation points

2020-11-03T12:26:21.907+00:00

I do not, but we did have some time left with a consulting company and they could not fix it either without changing the GPO policy ( which still leaves a vulnerability) so we decided to spin up a new DC and will demote the current one and see if we can get it to work. Will let you know how that works out. TY
Susan Bradley 96 Reputation points MVP

2020-11-20T03:37:33.69+00:00

Did it work out? Saw this post and thought of you https://learn.microsoft.com/en-us/answers/questions/168826/trust-relationship-issues.html
Roussel, Francois (SNB) 1 Reputation point

2020-11-20T14:46:56.303+00:00

It doesn't seems to be blocking anything at all.
patch is install, registry is set to enforce (1)
Our windows 10 client to test have the following local policy set:
Domain Member: Digitally encrypt of sign secure channel data (always) : Disabled
Domain Member: Digitally encrypt secure channel data (always): Disabled
Domain Member: Digitally sign secure channel data (when possible): Disable
From that testing workstation if we run the command "Test-ComputerSecureChannel -Server ...." it will show "False"

We can see the event viewer id 5827 from the DC that show that Netlogon service denied a vulnerable Netlogon Secure Channel.
Testing with user we can still logon to that PC, it will just continue to throw the error on the DC.
The password of that computer can change, at first we tough it would kick the PC out of the domain when it try to reset the password but no.
It look like it does nothing, we can still access network drive, RDP to the DC, RSAT access , etc...
jennylee 86 Reputation points

2020-12-01T16:22:04.133+00:00

No, sadly it didn't. We had an outside company work on it that we had some time with and they could not get it either without enabling the GPO, which from what I read still makes it a vulnerability by allowing all. We decided to build another AD server and will dcprom that one and try again. I am waiting on my coworker to finish it. Thanks for checking back.
jennylee 86 Reputation points

2020-12-01T17:12:03.677+00:00

Reading the link you put. It says:
Check to ensure that Domain member: Digitally encrypt or sign secure channel data (always) is set to Enabled in a GPO linked to the OU for all your DCs, such as the default domain controllers GPO.

Does this create any vulnerabilities or am I getting it confused with the one that does? I believe when its set to enable the trust works. Please let me know if it causes any vulnerabilities. Thanks
jennylee 86 Reputation points

2021-01-04T22:20:55.297+00:00

Hello,
Built a new AD server and it has the August updates on it as do all the DC but I am still getting event ID 5828 The Netlogon service denied a vulnerable Netlogon secure channel connection using a trust account.
To reiterate my scenario. We have our Main domain and we had a trust built for an old domain and it stopped working after Aug Patch. Seems the main domain does not like the old one as we only get the errors on the new domain DC I have deleted and rebuilt the trust many times.
the old domain has Server 2016 servers and DC plus one linux server. Also just got a letter from our insurance company stating that they found a vulnerability relating to this same issue CVE-2020-1472 and also adds we are exposing port 135. I have made sure this update was on all the DC's on both Domains, so I don't understand why the trust does not work or why we got this letter.
Susan Bradley 96 Reputation points MVP

2021-02-11T01:53:33.993+00:00

Did you ever get this worked out as this is now enforced with the February updates.
Jennylee525 1 Reputation point

2021-02-11T20:34:49.127+00:00

No, I just ended up killing the trust as we were getting notice that there were insecurities with the domain we were trying to trust with. I enforcee the hard coat and was done with it. Thanks for trying to help.

Answer 2

The August 11, 2020 update transitions to Initial Deployment Phase (monitoring)

The February 9, 2021 update transitions into the enforcement phase. The DCs will now be in enforcement mode regardless of the enforcement mode registry key. This requires all Windows and non-Windows devices to use secure RPC with Netlogon secure channel or explicitly allow the account by adding an exception for the non-compliant device. 

--please don't forget to Accept as answer if the reply is helpful--

Answer 3

Thameur-BOURBITA 36,261 Moderator

Hi

This KB is recommended to enforce the security communication between domain controller and member machine.
You can find the explanation in the summary:

**These updates enforce the specified Netlogon client behavior to use secure RPC with Netlogon secure channel between member computers and Active Directory (AD) domain controllers (DC). **

This security update addresses the vulnerability by enforcing secure RPC when using the Netlogon secure channel **

Don't forget to mark this reply as answer if it help you to fix your issue

Jason Leidy 91 Reputation points

2020-08-29T01:44:59.927+00:00

Right, I read the article several times so quoting it back to me isn't helping. My apologies, I am just not clear on what happens when I install the August patch on all of my clients (all Windows 10 1909) and servers. Non-compliant machines won't be able to get logged on? I don't know which devices are non-compliant (not using secure RPC when using the Netlogon secure channel). How is that different than what the February update does.
Aaron Margosis 1 Reputation point

2020-10-11T02:02:13.187+00:00

This article should help clarify all the issues: https://medium.com/[@](/users/na/?userId=4c3e22e6-1e67-0001-0000-000000000000).margosis/clarifying-cve-2020-1472-zerologon-d42d1d14849e

Answer 4

Anonymous

Hello @Jason Leidy ,

Thank you for posting here.

Here are the answers for your references.

Q: I am not clear on whether access will be denied for certain clients or if this patch is just adding event monitoring only and Feb 2021 update is for enforcement?

A: The updates will be released in two phases: the initial phase for updates released on or after August 11, 2020 and the enforcement phase for updates released on or after February 9, 2021.

The initial phase for updates:

If you have non-compliant devices, the access will be denied. Then event ID 5827, 5828 and 5829 may be logged.

1.Event ID 5827 will be logged when a vulnerable Netlogon secure channel connection from a machine account is denied.

2.Event ID 5828 will be logged when a vulnerable Netlogon secure channel connection from a trust account is denied.

3.Update will include a new group policy to allow non-compliant device accounts (those that use vulnerable Netlogon secure channel connections). Even when DCs are running in enforcement mode or after the Enforcement phase starts, allowed devices will not be refused connection.

Event ID 5829 will only be logged during the Initial Deployment Phase, when a vulnerable Netlogon secure channel connection from a machine account is allowed (gpo setting).

When DC enforcement mode is deployed or once the Enforcement phase starts with the deployment of the February 9, 2021 updates, these connections (5729) will be denied and Event ID 5827 will be logged. This is why it is important to monitor for Event 5829 during Initial Deployment Phase and act prior to Enforcement phase to avoid outages.

Make DCs in enforcement mode

Method 1 ==> set the following registry value manually

FullSecureChannelProtection registry key to enable DC enforcement mode for all machine accounts (enforcement phase will update DCs to DC enforcement mode).

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Netlogon\Parameters\FullSecureChannelProtection
REG_DWORD

1 – This enables enforcement mode.

0 – DCs will allow vulnerable Netlogon secure channel connections from non-Windows devices. This option will be deprecated in the enforcement phase release.

Method 2 ==> install update ==> February 9, 2021 - Enforcement Phase

The DCs will now be in enforcement mode regardless of the enforcement mode registry key. This requires all Windows and non-Windows devices to use secure RPC with Netlogon secure channel or explicitly allow the account by adding an exception for the non-compliant device. 

We can monitor 5827, 5828 and 5829 after the initial phase for updates installed. Then we may find non-compliant devices through event ID 5827, 5828 and 5829.

Hope the information above is thelpful.

Best Regards,
Daisy Zhou

Jason Leidy 91 Reputation points

2020-08-29T01:44:26.783+00:00

Right, I read the article several times so quoting it back to me isn't helping. My apologies, I am just not clear on what happens when I install the August patch on all of my clients (all Windows 10 1909) and servers. Non-compliant machines won't be able to get logged on? I don't know which devices are non-compliant (not using secure RPC when using the Netlogon secure channel). How is that different than what the February update does.
Susan Bradley 96 Reputation points MVP

2020-09-20T21:48:56.56+00:00

At this time all of the connections will still work. You will just have events logging indicating that in the future you might have issues. In February of next year is the drop dead things might break time when they enforce the encryption (always) setting.

So for now, patch is installed, connections still work.
Tom Baker 6 Reputation points

2020-09-21T23:51:50.167+00:00

I disagree with this statement. We have deployed the patch, the registry setting HKLM:\SYSTEM\CurrentControlSet\Services\Netlogon\Parameters\FullSecureChannelProtection" is set to 0. We are receiving event 5827 with the description: ventCode = 5827
Keywords = Classic
Message = The Netlogon service denied a vulnerable Netlogon secure channel connection from a machine account." All of the documentation states the denial will not start until Feb '21.
Susan Bradley 96 Reputation points MVP

2020-09-22T00:01:26.323+00:00

Can you tell what device is attempting to connect and failing? All supported versions of Windows should be connecting just fine.
Terry Grogan 1 Reputation point

2020-09-22T21:05:42.147+00:00

I am seeing the same issue as TomBaker. We deployed the security patch on our DC's (OS 2016). We are seeing a few of our WINDOWS 10 Enterprise x-64 workstations record event 5827. We have verified the registry key is set to 0 on all DCs. Most of the workstations are doing fine. We do have two non-windows OS devices that are triggering event 5829. The Win10 devices being denied despite the registry key set at 0 is a mystery and I was hoping to find potential answers here.
Anonymous

2020-09-24T13:50:55.477+00:00

I 100% disagree as well. This rolled and broke our remaining Win7 devices (registers), some Win 10 (registers), and we had to roll back. We had other reports, but we were in full enforment mode after installation.

This does not allow the existing NetLogon connections after installation. We have are working to configure the GPO prior to patching the domain controllers so that is prepped ahead of time and pushed.

Unreal.
Susan Bradley 96 Reputation points MVP

2020-09-24T16:09:41.897+00:00

I have Windows 7 here and not seeing any issues. What group policy settings do you have or other hardening settings that might be interacting? Be aware that attacks have been reported https://twitter.com/MsftSecIntel/status/1308941504707063808

Do you have the ability to open a support case with Microsoft? If not email me at sb-at-askwoody.com (change the -at- to @) and I can open one up on your behalf so you can get this rolled out as soon as you can.
Susan Bradley 96 Reputation points MVP

2020-09-25T06:02:02.3+00:00

https://attackerkb.com/topics/7FbcgDOidQ/cve-2020-1472-aka-zerologon?referrer=home More info on the attack there. For sure it shouldn't break the 10's unless you have an explicit group policy enforcing insecure netlogon protocols.
Anonymous

2020-09-28T17:16:43.213+00:00

Thanks. We are scrubbing our policies and have not found the issue yet. We already require secure encrypting and signing amongst the clients per GPO, so not really sure the disconnect of this patch.
Aaron Margosis 26 Reputation points

2020-10-01T02:33:18.957+00:00

There is a lot of text and it's a bit confusing, but bottom line is that the August patch blocks all non-compliant Windows-based devices, unless you create exceptions for them through the new GPO. Non-compliant non-Windows devices are still allowed until the February patch unless you set the full-enforcement registry value.

Find out what the actual effective state is on your problematic machines for these security options:
Domain member: Digitally encrypt or sign secure channel data (always)
Domain member: Digitally encrypt secure channel data (when possible)
Domain member: Digitally sign secure channel data (when possible)
Have a look in HKLM\System\CurrentControlSet\Services\Netlogon\Parameters for these values:
RequireSignOrSeal
SealSecureChannel
SignSecureChannel
All of them should be DWORD 1.

-- Aaron Margosis (Tanium)
Aaron Margosis 1 Reputation point

2020-10-11T02:03:10.457+00:00

Hey Susan! (Long time!)
This article should help clarify all the issues: https://medium.com/[@](/users/na/?userId=4c3e22e6-1e67-0001-0000-000000000000).margosis/clarifying-cve-2020-1472-zerologon-d42d1d14849e
Susan Bradley 96 Reputation points MVP

2020-10-23T04:21:17.157+00:00

Any luck in finding the root cause?

Answer 5

Yes, the August update for Windows Server https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1472 will disrupt non-compliant Windows domain-members, and log event 5827 on the DC as the DC will refuse the secure-channel connection.

The KBarticle has been updated several times, and the body (step 1 and 2) and the FAQ section highlights this

https://support.microsoft.com/en-us/help/4557222/how-to-manage-the-changes-in-netlogon-secure-channel-connections-assoc

Share via

Netlogon Secure Channel CVE-2020-1472 Clarification Needed

6 answers

Your answer