Windows Server Domain controller are vulnerable to a very nasty attack vector. Time to act now.
Microsoft released an advisory about a critical (CVSS score 10/10) vulnerability in their domain controller.
Long story short, an attacker with network access can use a Netlogon Remote Protocol message (with zeros in certain locations, hence the name “ZeroLogon”) to obtain domain administrator privileges.
Microsoft provided patches with the August patch day, so you should hurry patching your DCs.
Secuva, which first found that vulnerability, relased a phyton test script, which allows to check your domain controller for insecure setups.
But even after installing the updates your work isn’t complete. They are step 1 of mitigating the insecurity.
After installing the updates, your domain controller will report new events for vulnerable Netlogon secure channel connections. The event ids are:
- 5827 and 5828: If the connections are denied
- 5830 and 5831: If the connections are insecure, but allowed via group policies
- 5829: If the connections are allowed
So you have to check for these events as Microsoft will release another update in February 2021 setting domain controller into enforcement mode which denies insecure connections except for accounts set in the “Domain controller: Allow vulnerable Netlogon secure channel connections” group policy.
POSSIBLE BUG: On Server 2012 R2, When the Policy “Domain controller: Allow vulnerable Netlogon secure channel connections” is set to NOT DEFINED, this registry key STILL contains old previously set entries (security descriptors) in the list!!!!
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Netlogon\Parameters]
“vulnerablechannelallowlist”
Update: The bug has been fixed.