Microsoft Warns Of Incoming Windows Zerologon Patch Enforcement

Microsoft today warned admins that updates addressing the Windows Zerologon vulnerability will transition into the enforcement phase starting next month.

Zerologon is a critical 10/10 rated security flaw tracked as CVE-2020-1472 which, when successfully exploited, enables attackers to elevate privileges to domain administrator and take control over the domain.

“We are reminding our customers that beginning with the February 9, 2021 Security Update release we will be enabling Domain Controller enforcement mode by default,” MSRC VP of Engineering Aanchal Gupta said.

“DC enforcement mode requires that all Windows and non-Windows devices use secure RPC with Netlogon secure channel unless customers have explicitly allowed the account to be vulnerable by adding an exception for the non-compliant device.”

Also Read: The 5 Benefits Of Outsourcing Data Protection Officer Service

Patch deployment details

The patch released as part of the August 2020 Patch Tuesday updates enables secure Remote Procedure Call (RPC) communication for machine accounts on Windows devices, trust accounts, as well as all Windows and non-Windows Domain Controllers.

It also logs any non-compliant devices in the environment so that system administrators address their issues or replace them before the enforcement phase.

With the February 2021 updates, Microsoft will automatically start enforcing secure RPC communications for all devices on the network and will no longer log non-compliant machines.

Microsoft has also clarified the steps needed to take to protect their devices against Zerologon attacks after customers found the original guidance confusing.

The update plan outlined by Microsoft involves going through the following procedure:

1. UPDATE your Domain Controllers with an update released August 11, 2020 or later.
2. FIND which devices are making vulnerable connections by monitoring event logs.
3. ADDRESS non-compliant devices making vulnerable connections.
4. ENABLE enforcement mode to address CVE-2020-1472 in your environment.

Zerologon under attack

Soon after the news about a Zerologon fix was published in August 2020, researchers published proof-of-concept ZeroLogon exploits allowing attackers to easily gain administrative access to a domain controller.

With public exploits released, Microsoft warned that threat actors quickly adopted them and started exploiting ZeroLogon in attacks.

One month later, Microsoft also added support for Zerologon exploitation detection to Microsoft Defender for Identity making it possible for security teams to detect on-premises attacks trying to abuse this critical vulnerability.

Also Read: How To Prevent WhatsApp Hack: 7 Best Practices

“Organizations that deploy Microsoft Defender for Identity (previously Azure Advanced Threat Protection) or Microsoft 365 Defender (previously Microsoft Threat Protection) are able to detect adversaries as they try to exploit this specific vulnerability against their domain controllers,” Gupta said.