Jorge's Quest For Knowledge!

All About Identity And Security On-Premises And In The Cloud – It's Just Like An Addiction, The More You Have, The More You Want To Have!

(2020-10-14) 6 Steps To Mitigate The ZeroLogon Vulnerability

Posted by Jorge on 2020-10-14


About a month or so I blogged about the ZeroLogon vulnerability. Check it out HERE

Now why is this all important? I think I can say this is one of meanest vulnerabilities that I have seen for which you can loose control of your AD. Mitigation is quite easy through a number of steps, being:

  1. Install at least the august patch on at least ALL your DCs if you have not done that already. You did not do this yet? Seriously? Living under a stone? Remember: ANYONE on your network that can communicate with your DC has the ability to own and control your AD domain/forest!
  2. Monitor the System Event Log of ALL your DCs for event ID 5829, which is whenever a vulnerable Netlogon secure channel connection is used and allowed. TIP: to ease this, use Azure Log Analytics which helps you get all the information in one place! Then in Azure Log Analytics, you can use the KQL query displayed below, which will give you all the servers and the number of times it established a vulnerable Netlogon secure channel connection
  3. If ANY SYSTEM still uses vulnerable netlogon connections, EITHER…
    1. Patch/fix software/firmware if available (preferred!)
    2. If a fix is not available immediately because the vendor is working on it, create a security group in AD, then use that security group and make all the systems, for which a fix is not yet available, a member of the security group. Then in the policy “Computer Configuration > Windows Settings > Security Settings > Security Options > Domain controller: Allow vulnerable Netlogon secure channel connections” specify that security group as the exception list
  4. When ALL SYSTEMS previously using vulnerable netlogon connections, are either fixed/updated or configured as exception, enable enforcement mode as explained here
  5. Monitor the System Event Log of ALL your DCs for event ID 5827, 5828, 5830, 5831 and take action as needed. Again, Azure Log Analytics which helps you get all the information in one place! You can use the KQL query displayed below
    1. Event ID 5827: logged when a vulnerable Netlogon secure channel connection from a machine account is denied
    2. Event ID 5828: logged when a vulnerable Netlogon secure channel connection from a trust account is denied
    3. Event ID 5830: logged when a vulnerable Netlogon secure channel connection from a machine account is allowed due to the exception
    4. Event ID 5831: logged when a vulnerable Netlogon secure channel connection from a trust account is allowed due to the exception
  6. For all those systems in the exception group, chase the owners/vendors to fix/update the software before date XYZ (t.b.d. by yourself!) and tell them after that date you will remove the accounts as members and they will have issues

KQL Query for when a vulnerable Netlogon secure channel connection from a machine account is allowed (Event ID 5829)

Event
| where EventID == 5829
| project ParameterXml, TimeGenerated, EventID
| parse ParameterXml with * ‘<Param>’ Computer ‘</’ *
| summarize Count = count(EventID) by Client=Computer

KQL Query for when a vulnerable Netlogon secure channel connection from a machine account is denied (Event ID 5827)

Event
| where EventID == 5827
| project ParameterXml, TimeGenerated, EventID
| parse ParameterXml with * ‘<Param>’ Computer ‘</’ *
| summarize Count = count(EventID) by Client=Computer

KQL Query for when a vulnerable Netlogon secure channel connection from a trust account is denied (Event ID 5828)

Event
| where EventID == 5828
| project ParameterXml, TimeGenerated, EventID
| parse ParameterXml with * ‘<Param>’ Computer ‘</’ *
| summarize Count = count(EventID) by Client=Computer

KQL Query for when a vulnerable Netlogon secure channel connection from a machine account is allowed due to the exception (Event ID 5830)

Event
| where EventID == 5830
| project ParameterXml, TimeGenerated, EventID
| parse ParameterXml with * ‘<Param>’ Computer ‘</’ *
| summarize Count = count(EventID) by Client=Computer

KQL Query for logged when a vulnerable Netlogon secure channel connection from a trust account is allowed due to the exception (Event ID 5831)

Event
| where EventID == 5831
| project ParameterXml, TimeGenerated, EventID
| parse ParameterXml with * ‘<Param>’ Computer ‘</’ *
| summarize Count = count(EventID) by Client=Computer

Now. what’s the benefit of using this approach? There are more benefits!

  1. Any update that is installed, which is released after February 9th 2021, will enable enforcement mode automatically. Any system NOT in the exception list will have issues!
  2. The list of systems using vulnerable Netlogon secure channel connections, will not grow. The longer you wait the bigger the list might get. As YOU control the security group you can tell any owner requiring netlogon connections, to FIRST fix/update their software, which will allow the netlogon connection. Membership of the security group should decrease, NOT increase!

More details: How to manage the changes in Netlogon secure channel connections associated with CVE-2020-1472

Cheers,

Jorge

————————————————————————————————————————————————————-
This posting is provided "AS IS" with no warranties and confers no rights!
Always evaluate/test everything yourself first before using/implementing this in production!
This is today’s opinion/technology, it might be different tomorrow and will definitely be different in 10 years!
DISCLAIMER:
https://jorgequestforknowledge.wordpress.com/disclaimer/
————————————————————————————————————————————————————-
########################### Jorge’s Quest For Knowledge ##########################
####################
http://JorgeQuestForKnowledge.wordpress.com/ ###################
————————————————————————————————————————————————————-

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.

 
%d bloggers like this: