Clarifying CVE-2020–1472 (“Zerologon”)

  • Patched DCs now require all Windows-based domain members (and non-Windows DCs) to use signing and encryption. Based on informal testing my Tanium colleagues and I have done, this won’t break any version of Windows going back at least to NT4 that have Netlogon-related security settings at the installation defaults or stronger. However, it will block computers that are explicitly configured to disable signing/encryption. You can unblock them either by strengthening their signing/encryption settings, or by creating specific exceptions for them with the new group policy described in Microsoft KB 4557222.
  • Non-Windows domain members that don’t (or can’t) use signing/encryption can continue to authenticate for the time being. The patch that Microsoft plans to release in February 2021 will enforce the same restrictions on non-Windows devices that the August patch enforces for Windows-based devices. You can enforce that restriction on non-Windows devices now with a registry setting described in the KB. If you can’t change those devices to meet the new requirements, you can exempt them using the same group policy as for Windows-based machines.

How vulnerable am I without the “full-enforcement” option?

You need to monitor events — here’s why:

What’s my best way forward now?

--

--

--

Windows cybersec nerd. Co-author of Sysinternals books (w/Mark Russinovich). Global Techno Ninja at Tanium; tool maker (Policy Analyzer, LGPO, LUA Buglight;...)

Love podcasts or audiobooks? Learn on the go with our new app.

Recommended from Medium

It’s time to EVOLVE

{UPDATE} One Finger Drive Hack Free Resources Generator

Audit and Accounts

IBAN vs. SWIFT Codes: What You Ought to Know

How to Create a Wordlist for a Dictionary Attack | Crunch Tutorial

Migrating from RSA Access Manager to miniOrange Identity Platform

Weekly Newsletter — 22 April 2022

Free Custom Email Address

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Aaron Margosis

Aaron Margosis

Windows cybersec nerd. Co-author of Sysinternals books (w/Mark Russinovich). Global Techno Ninja at Tanium; tool maker (Policy Analyzer, LGPO, LUA Buglight;...)

More from Medium

CS371p Spring 2022: Randall Crawford Blog 9

How to Integrate Customize AI Model to RPA UiPath Platform

Top 10 Cyber Attacks of 2022-First Quarter

What Types of Documents Required For OPC Registration?