BLOG DESCRIPTION

Microsoft Security Vulnerability Update CVE-2020-1472

Security Vulnerability Update CVE-2020-1472
Managed WIFI Services Richard Grant Managed SD-WAN 8/17/2020

 

Security Vulnerability Update CVE-2020-1472 For Domain Controllers-

 

We would like to share an important information on security vulnerability update CVE-2020-1472 released by Microsoft on August 11, 2020 in order to secure the AD infrastructure and restrict the non-compliant devices via MS-NRPC (Net logon Remote Protocol). It is extremely important to have these updates on the DCs to protect and secure the infrastructure from the intruders. These updates enforce the specified Net logon client behavior to use secure RPC with Net logon secure channel between member computers and Active Directory (AD) domain controllers (DCs).

In brief, the Net Logon Remote Protocol (also called MS-NRPC) is an RPC interface that is used exclusively by domain-joined devices. Net Logon Remote Protocol MS-NRPC includes an authentication method and a method of establishing a Net logon secure channel. The main purpose of this update is to control and restrict the Net Logon Elevation of Privilege Vulnerability in active directory domain controllers.

This has been quickly identified by Microsoft and released the update to protect and secure the login process with Net Logon Remote Protocol method. These updates must be installed on all running domain controllers in two phases with following ladders-

 

Important points of this update- This update is released in two phases-

 

1- August 11, 2020 - Initial Deployment Phase-

 

  1. > Once the initial update is installed on the DCs, the following activities start happening on the machines/DCs-

  2. > Enforces secure RPC usage for machine accounts on Windows based devices.

  3. > Enforces secure RPC usage for trust accounts.

  4. > Enforces secure RPC usage for all Windows and non-Windows DCs.

  5. > Detecting non-compliant devices using event ID 5829.

  6. > Addressing event IDs 5827 and 5828

  7. > This will help us to identify the infected devices with the given event details.

 

2- February 9, 2021 - Enforcement Phase-

 

  1. > This update will completely restrict the non-compliant devices to login via secure RPC usages.

  2. > This will help us to create a GPO for known non-compliant devices if they are in our organization. We can allow the required OUs if needed.

  3. > Logging of Event ID 5829 will be removed.  Since all vulnerable connections are denied, you will now only see event IDs 5827 and 5828 in the System event log.

  4. > GPO for Net Logon Secure Channels- Policy path: Computer Configuration > Windows Settings > Security Settings > Security Options - Setting name: Domain controller: Allow vulnerable Net logon secure channel connections

  5. > Reboot required? No

  6. > Allow: The domain controller will allow the specified group/accounts to use a Net logon secure channel without secure RPC.

  7. > Deny: This setting is the same as the default behavior. The domain controller will require the specified group/accounts to use a Net logon secure channel with secure RPC.

  8. > Allowing vulnerable connections from 3rd party devices via GPOs.

 

For detailed overview and information on this update, please click here.  Also, visit the security update page CVE-2020-1472