Blog / Windows Zerologon – Part Two: What Microsoft Recommends to Do and Why
In the last newsletter I wrote about the Windows Zerologon issue (CVE 2020-1472.) I covered how easy it was to leverage and that Microsoft had released a patch for it. Well, the thing is, Microsoft isn’t just telling people to apply the patch. They’re asking us to do quite a bit more. I didn’t touch on this during the last newsletter, since it would have made the blog a lot longer, and I also felt it would dilute the message of “I don’t think you grasp how vital it is to apply this patch.”
The reason I’m going to go deeper into what the patch does, is partly because Microsoft has told you to. The excuse behind this is that due to the discovery of such a vulnerability, they will have to change the behaviour of Windows in a few months (February 9, 2021 to be exact.) So, if you don’t follow their advice, you could get a rather unpleasant surprise next year.
Now I’ll go a little deeper into how the patch addresses the issue and why you should follow Microsoft’s advice on what to do (after you install the patch.) Here is a summary of the changes they made:
Change 1 – The vulnerability in the MS-NRPC protocol was addressed
Change 2 – Event log entries now get created in relation to MS-NRPC connections
Change 3 – MS-NRPC can now use encryption
Now then, here’s the kicker: Currently, the use of encryption for MS-NRPC is not being enforced, unless you manually configure your Domain Controller to do so. The update in February will change that and it will no longer be possible to set-up a Domain Controller to accept unencrypted MS-NRPC traffic. So, what exactly does this mean?
Well, so long as the only thing you have connected to Active Directory are computers receiving updates from Microsoft, nothing. However, some people make use of NAS devices, Firewalls, and other things that talk to Active Directory, in order to do User Authentication. If they use MS-NRPC (most probably do) and they don’t encrypt the traffic, that communication will suddenly begin to fail after February 9, when Microsoft rolls out the rest of the fix. Depending on an outfit’s network, this change could cause a lot of disruption. That’s why Microsoft has decided to give you a couple of months to get things sorted out, before they flip that particular switch.
So, once you install the patch, Microsoft recommends that you monitor your event logs for log ID 5829 (one of the new ones they created for this fix.) This log entry says that the Domain Controller accepted a non-encrypted connection for MS-NRPC. You need to look for these logs, find the device that created it, and patch it, so that it uses encrypted traffic. If it can’t be patched, it will not be able to communicate with Active Directory starting in February, so they have some time to find a replacement.
Here’s a real work example of the impact this change will make:
Many places still have Windows 7 machines in their networks. Most of them don’t have extended support contracts on their Windows7 computers, so they are not receiving patches. Without one, Windows 7 will not be able to communicate with an Active Directory server that has received the second part of this Fix.
Here is the link to the Microsoft article that contains all the details I have summarized:
In it you’ll find a link to another article, that contains detailed instructions on using a power shell script (they provide it), to automatically look at your event logs and create an Excel spreadsheet with these events in it. This makes sorting through event logs quite a lot easier.
Of course, you could decide not to take these steps. In which case when Feb 9 arrives, maybe everything will be working, or maybe not.
As the Bard once wisely declared: “Advantage is a better soldier than rashness.”
If you have any questions about Windows Zerologon, please reach out to your TRINUS Account Manager for some stress-free IT.
By Kind Courtesy of Your Friendly Neighbourhood Cyber-Man.