(2020-09-15) ZeroLogon Attack/Vulnerability Information
Posted by Jorge on 2020-09-15
This is about a serious attack on AD, which is currently possible when not patched and configured correctly. A lot of information, and tooling, is on the internet available since a month or so about the ZeroLogin vulnerability and attack.
THIS A SERIOUS ONE! ACT NOW IF YOU HAVE NOT ALREADY!
Please use for your own environment or for any customer you work for or know about. This requires immediate attention for ANY AD domain/forest that you manage, as just patching is not enough.
In addition to patching, forcing secure RPC is ALSO required to prevent unsecure anonymous requests in any way. Not forcing secure RPC means that anyone on the network can easily take over the AD domain and become an full blown admin.
It is possible to check through event IDs who is currently using unsecure RPC. Those systems need to be patched ASAP.
For more detailed info, please see below.
–
ZeroLogon Attack/Vulnerability Information
- https://www.secura.com/blog/zero-logon
- https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1472
- https://twitter.com/RyanLNewington/status/1293444103208722432
–
Required Actions
- Read and understand the information above
- Test and evaluate
- Install patches
- Force the use of Secure RPC NOW, do not wait until Feb 21st where it will be enabled by default!
- Configure enforcement mode (https://support.microsoft.com/en-us/help/4557222/how-to-manage-the-changes-in-netlogon-secure-channel-connections-assoc)
- As a temp measure it is possible to configure an exception for systems that need unsecure RPC. However, this must be a temp solution for those systems until updated to use secure RPC only. While that system uses unsecure RPC and is in the exception group, that system is a potential risk towards the AD as it can be misused to FULLY take over the AD forest/domain.
–
Cheers,
Jorge
————————————————————————————————————————————————————-
This posting is provided "AS IS" with no warranties and confers no rights!
Always evaluate/test everything yourself first before using/implementing this in production!
This is today’s opinion/technology, it might be different tomorrow and will definitely be different in 10 years!
DISCLAIMER: https://jorgequestforknowledge.wordpress.com/disclaimer/
————————————————————————————————————————————————————-
########################### Jorge’s Quest For Knowledge ##########################
#################### http://JorgeQuestForKnowledge.wordpress.com/ ###################
————————————————————————————————————————————————————-
Jorge's Quest For Knowledge! 
(2020-10-14) 6 Steps To Mitigate The ZeroLogon Vulnerability « Jorge's Quest For Knowledge! said
[…] About a month or so I blogged about the ZeroLogon vulnerability. Check it out HERE […]
LikeLike