Microsoft has alerted security admins that it is enabling Domain Controller enforcement mode by default to address a critical Remote Code Execution (RCE) vulnerability dubbed “Zerologon” that impacts the Netlogon protocol. The latest mode, which will be rolled out with the upcoming security update on February 9, 2021, will prevent vulnerable connections from non-compliant devices.
“Domain Controller enforcement mode requires that all Windows and non-Windows devices use secure Remote Procedure Call (RPC) with Netlogon secure channel unless customers have explicitly allowed the account to be vulnerable by adding an exception for the non-compliant device,” Microsoft said.
Zerologon – An Unpatched Flaw
The Zerologon (CVE-2020-1472), with a CVSSv3 score of 10.0, is a privilege escalation flaw in the Windows Netlogon Remote Protocol (MS-NRPC) that was patched in the Microsoft August Patch Tuesday. The vulnerability would have allowed attackers to hijack the Windows domain controller. All an attacker requires is local network access, which is also why it cannot be performed directly over the internet.
However, the Cybersecurity and Infrastructure Security Agency (CISA) stated that several proof-of-concept exploits caused widespread concern across the industry, and the bug remained unpatched in many government agencies. In an emergency directive, the agency urged to update all Windows Servers with the domain controller role in any information systems that collects, processes, stores, transmits, disseminates, or maintains agency information.
Microsoft advised security admins and organizations to update their Domain Controllers with August 11, 2020, security update, monitor event logs to find out which devices are making vulnerable connections, and enable Domain Controller enforcement mode to address Zerologon flaw. In addition, the tech giant stated, “Organizations that deploy Microsoft Defender for Identity or Microsoft 365 Defender can detect adversaries as they try to exploit this specific vulnerability against their domain controllers.”