(2020-10-14) 6 Steps To Mitigate The ZeroLogon Vulnerability

About a month or so I blogged about the ZeroLogon vulnerability. Check it out HERE

Now why is this all important? I think I can say this is one of meanest vulnerabilities that I have seen for which you can loose control of your AD. Mitigation is quite easy through a number of steps, being:

1. Install at least the august patch on at least ALL your DCs if you have not done that already. You did not do this yet? Seriously? Living under a stone? Remember: ANYONE on your network that can communicate with your DC has the ability to own and control your AD domain/forest!
2. Monitor the System Event Log of ALL your DCs for event ID 5829, which is whenever a vulnerable Netlogon secure channel connection is used and allowed. TIP: to ease this, use Azure Log Analytics which helps you get all the information in one place! Then in Azure Log Analytics, you can use the KQL query displayed below, which will give you all the servers and the number of times it established a vulnerable Netlogon secure channel connection
3. If ANY SYSTEM still uses vulnerable netlogon connections, EITHER…
1. Patch/fix software/firmware if available (preferred!)
2. If a fix is not available immediately because the vendor is working on it, create a security group in AD, then use that security group and make all the systems, for which a fix is not yet available, a member of the security group. Then in the policy “Computer Configuration > Windows Settings > Security Settings > Security Options > Domain controller: Allow vulnerable Netlogon secure channel connections” specify that security group as the exception list
4. When ALL SYSTEMS previously using vulnerable netlogon connections, are either fixed/updated or configured as exception, enable enforcement mode as explained here
5. Monitor the System Event Log of ALL your DCs for event ID 5827, 5828, 5830, 5831 and take action as needed. Again, Azure Log Analytics which helps you get all the information in one place! You can use the KQL query displayed below
1. Event ID 5827: logged when a vulnerable Netlogon secure channel connection from a machine account is denied
2. Event ID 5828: logged when a vulnerable Netlogon secure channel connection from a trust account is denied
3. Event ID 5830: logged when a vulnerable Netlogon secure channel connection from a machine account is allowed due to the exception
4. Event ID 5831: logged when a vulnerable Netlogon secure channel connection from a trust account is allowed due to the exception
6. For all those systems in the exception group, chase the owners/vendors to fix/update the software before date XYZ (t.b.d. by yourself!) and tell them after that date you will remove the accounts as members and they will have issues

–

KQL Query for when a vulnerable Netlogon secure channel connection from a machine account is allowed (Event ID 5829)

Event
| where EventID == 5829
| project ParameterXml, TimeGenerated, EventID
| parse ParameterXml with * ‘<Param>’ Computer ‘</’ *
| summarize Count = count(EventID) by Client=Computer

–

KQL Query for when a vulnerable Netlogon secure channel connection from a machine account is denied (Event ID 5827)

Event
| where EventID == 5827
| project ParameterXml, TimeGenerated, EventID
| parse ParameterXml with * ‘<Param>’ Computer ‘</’ *
| summarize Count = count(EventID) by Client=Computer

–

KQL Query for when a vulnerable Netlogon secure channel connection from a trust account is denied (Event ID 5828)

Event
| where EventID == 5828
| project ParameterXml, TimeGenerated, EventID
| parse ParameterXml with * ‘<Param>’ Computer ‘</’ *
| summarize Count = count(EventID) by Client=Computer

–

KQL Query for when a vulnerable Netlogon secure channel connection from a machine account is allowed due to the exception (Event ID 5830)

Event
| where EventID == 5830
| project ParameterXml, TimeGenerated, EventID
| parse ParameterXml with * ‘<Param>’ Computer ‘</’ *
| summarize Count = count(EventID) by Client=Computer

–

KQL Query for logged when a vulnerable Netlogon secure channel connection from a trust account is allowed due to the exception (Event ID 5831)

Event
| where EventID == 5831
| project ParameterXml, TimeGenerated, EventID
| parse ParameterXml with * ‘<Param>’ Computer ‘</’ *
| summarize Count = count(EventID) by Client=Computer

–

Now. what’s the benefit of using this approach? There are more benefits!

1. Any update that is installed, which is released after February 9th 2021, will enable enforcement mode automatically. Any system NOT in the exception list will have issues!
2. The list of systems using vulnerable Netlogon secure channel connections, will not grow. The longer you wait the bigger the list might get. As YOU control the security group you can tell any owner requiring netlogon connections, to FIRST fix/update their software, which will allow the netlogon connection. Membership of the security group should decrease, NOT increase!

–

More details: How to manage the changes in Netlogon secure channel connections associated with CVE-2020-1472

–

Cheers,

Jorge

————————————————————————————————————————————————————-
This posting is provided "AS IS" with no warranties and confers no rights!
Always evaluate/test everything yourself first before using/implementing this in production!
This is today’s opinion/technology, it might be different tomorrow and will definitely be different in 10 years!
DISCLAIMER: https://jorgequestforknowledge.wordpress.com/disclaimer/
————————————————————————————————————————————————————-
########################### Jorge’s Quest For Knowledge ##########################
#################### http://JorgeQuestForKnowledge.wordpress.com/ ###################
————————————————————————————————————————————————————-

(2020-09-15) ZeroLogon Attack/Vulnerability Information

This is about a serious attack on AD, which is currently possible when not patched and configured correctly. A lot of information, and tooling, is on the internet available since a month or so about the ZeroLogin vulnerability and attack.

THIS A SERIOUS ONE! ACT NOW IF YOU HAVE NOT ALREADY!

Please use for your own environment or for any customer you work for or know about. This requires immediate attention for ANY AD domain/forest that you manage, as just patching is not enough.

In addition to patching, forcing secure RPC is ALSO required to prevent unsecure anonymous requests in any way. Not forcing secure RPC means that anyone on the network can easily take over the AD domain and become an full blown admin.

It is possible to check through event IDs who is currently using unsecure RPC. Those systems need to be patched ASAP.

For more detailed info, please see below.

–

ZeroLogon Attack/Vulnerability Information

• https://www.secura.com/blog/zero-logon
• https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1472
• https://twitter.com/RyanLNewington/status/1293444103208722432

–

Required Actions

• Read and understand the information above
• Test and evaluate
• Install patches
• Force the use of Secure RPC NOW, do not wait until Feb 21^st where it will be enabled by default!
• Configure enforcement mode (https://support.microsoft.com/en-us/help/4557222/how-to-manage-the-changes-in-netlogon-secure-channel-connections-assoc)
• As a temp measure it is possible to configure an exception for systems that need unsecure RPC. However, this must be a temp solution for those systems until updated to use secure RPC only. While that system uses unsecure RPC and is in the exception group, that system is a potential risk towards the AD as it can be misused to FULLY take over the AD forest/domain.

–

Cheers,

Jorge

————————————————————————————————————————————————————-
This posting is provided "AS IS" with no warranties and confers no rights!
Always evaluate/test everything yourself first before using/implementing this in production!
This is today’s opinion/technology, it might be different tomorrow and will definitely be different in 10 years!
DISCLAIMER: https://jorgequestforknowledge.wordpress.com/disclaimer/
————————————————————————————————————————————————————-
########################### Jorge’s Quest For Knowledge ##########################
#################### http://JorgeQuestForKnowledge.wordpress.com/ ###################
————————————————————————————————————————————————————-