Clarifying CVE-2020–1472 (“Zerologon”)

  • Patched DCs now require all Windows-based domain members (and non-Windows DCs) to use signing and encryption. Based on informal testing my Tanium colleagues and I have done, this won’t break any version of Windows going back at least to NT4 that have Netlogon-related security settings at the installation defaults or stronger. However, it will block computers that are explicitly configured to disable signing/encryption. You can unblock them either by strengthening their signing/encryption settings, or by creating specific exceptions for them with the new group policy described in Microsoft KB 4557222.
  • Non-Windows domain members that don’t (or can’t) use signing/encryption can continue to authenticate for the time being. The patch that Microsoft plans to release in February 2021 will enforce the same restrictions on non-Windows devices that the August patch enforces for Windows-based devices. You can enforce that restriction on non-Windows devices now with a registry setting described in the KB. If you can’t change those devices to meet the new requirements, you can exempt them using the same group policy as for Windows-based machines.

How vulnerable am I without the “full-enforcement” option?

The reported exploit always depended on signing and encryption being optional. When a client cannot choose the protocol’s less-secure option, the exploit no longer works. But the patch also brings a subtle change to the Netlogon protocol that breaks the “all-zeroes” exploit technique as well as similar ones. This means that even when you have clients that you can’t require to use signing/encryption, successful exploit of the protocol’s weakness is now mathematically many orders of magnitude more difficult than it was. This lessens the immediate urgency of moving to the full-enforcement option for non-Windows devices.

You need to monitor events — here’s why:

After patching your DCs, you should determine whether any authorized computers are being blocked or will be blocked in full-enforcement mode, so that they can be updated, retired, or exempted with the new group policy setting. The August patch defines several new events that Netlogon writes to the System event log whenever vulnerable connections are blocked or allowed.

What’s my best way forward now?

Tanium has published content that will tell you the precise vulnerability status of your domain controllers and whether any member systems are being blocked or will be blocked so that you can keep your operations running smoothly and securely. See the references below for details.

--

--

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Aaron Margosis

Aaron Margosis

33 Followers

Windows cybersec nerd. Co-author of Sysinternals books (w/Mark Russinovich). Global Techno Ninja at Tanium; tool maker (Policy Analyzer, LGPO, LUA Buglight;...)