Microsoft Now Forces Secure RPC To Block Windows Zerologon Attacks
Microsoft has enabled enforcement mode for updates addressing the Windows Zerologon vulnerability on all devices that installed this month’s Patch Tuesday security updates.
Zerologon is a critical Netlogon Windows Server process security flaw (tracked as CVE-2020-1472) that allows attackers to elevate privileges to domain administrators and take control over the domain following successful exploitation.
The patch released during the August 2020 Patch Tuesday rolled out in two phases and it forces secure Remote Procedure Call (RPC) communication for machine accounts on Windows devices, trust accounts, as well as all Windows and non-Windows Domain Controllers.
Enforcement mode on for all up to date devices
“February 9, 2021 and superseding Windows Updates enable enforcement mode on all supported Windows Domain Controllers and will block vulnerable connections from non-compliant devices,” the updated Zerologon advisory reads.
Also Read: Limiting Location Data Exposure: 8 Best Practices
The only exception applies to DCs manually added by admins to a dedicated security group which allows vulnerable Netlogon secure channel connections.
However, admins will no longer be able to disable or override enforcement mode for any hostnames added using this exception group policy. Additionally, this change will allow potential attackers to impersonate accounts in Zerologon attacks.
“Microsoft strongly recommends that customers install the February updates to be fully protected from this vulnerability,” the advisory reads.
“Customers whose Windows devices are configured to receive automatic updates do not need to take any further action.”
Under attack
Soon after Zerologon details and the patch were released, researchers also published proof-of-concept ZeroLogon exploits which allowed gaining administrative access to domain controllers.
After the public release of Zerologon exploits, Microsoft warned that they were quickly weaponized by threat actors and were being used to exploit devices vulnerable to ZeroLogon attacks.
Microsoft has previously warned admins in January that Zerologon updates will transition into the enforcement phase starting this month.
“Organizations that deploy Microsoft Defender for Identity (previously Azure Advanced Threat Protection) or Microsoft 365 Defender (previously Microsoft Threat Protection) are able to detect adversaries as they try to exploit this specific vulnerability against their domain controllers,” MSRC VP of Engineering Aanchal Gupta said.
Patch deployment
Microsoft provides info on the exact steps needed for protecting affected devices against Zerologon attacks.
The company also outlined an update plan which requires going through the following procedure:
- UPDATE your Domain Controllers with an update released August 11, 2020 or later.
- FIND which devices are making vulnerable connections by monitoring event logs.
- ADDRESS non-compliant devices making vulnerable connections.
- ENABLE enforcement mode to address CVE-2020-1472 in your environment.
Microsoft has also added support for Zerologon exploitation detection to Microsoft Defender for Identity (previously known as Azure Advanced Threat Protection) in November 2020.
Also Read: 10 Practical Benefits of Managed IT Services
This new capability allows Security Operations teams to detect on-premises attacks attempting to abuse this maximum severity Windows vulnerability.
0 Comments