Zerologon (CVE-2020-1472): Critical Active Directory Vulnerability

In August 2020, Microsoft released an update to fix a critical Windows Server vulnerability in Active Directory – CVE-2020-1472 (better known as Zerologon). This update was successfully installed on all domain controllers 4 months ago. However, not every Windows administrator knows that installing an update on a DC does not do everything. This article discusses the Zerologon vulnerability, how to protect AD domain controllers against it, why another Zerologon update is scheduled for February 2021, and what a Windows server administrator should do about it.

Request for zero: Vulnerability of Windows Netlogon CVE-2020-1472

The critical vulnerability CVE-2020-1472 in Active Directory in all versions of Windows Server (2008 R2, 2012, 2016, 2019) allows an unauthorized user to remotely obtain domain administrator rights. Due to an error in the implementation of the AES-CFB8 encryption protocol for the Netlogon Remote Protocol (MS-NRPC), an attacker accessing the Domain Controller on the network can increase his privileges and change the password of the Domain Controller account to AD. The attacker can then authenticate to the domain controller with SYSTEM rights and gain full control over Active Directory (resetting domain administrator passwords or other actions in AD).

The Netlogon protocol is used to authenticate users and computers on AD domain networks. Netlogon is also used to remotely update passwords for computer accounts in the Active Directory domain.

To implement the Zerologon vulnerability, an attacker must connect via Netlogon (using the following ports : RPC TCP/135, dynamic range of RPC ports, and SMB on TCP/445) with a specific sequence starting with zeros. The Netlogon vulnerability allows pretending to be a legitimate domain computer and changing the password of the DC account after increasing the rights.

Vulnerability received the highest score in the CVSS study (10 out of 10).

This applies to all versions of Windows Server :

  • Windows Server 2019, Windows Server 2016 ;
  • Windows Server 2004, 1909, 1903 ;
  • Windows Server 2012 R2/2012 ;
  • Windows Server 2008 R2 SP 1.

Several public zerological exploits are currently in progress (a numerological module has also been added to the mimicatz).

Do not test Nullology on your network, because if you set the DC password to blank, it may damage your AD infrastructure.

There is a Python script that you can use to check for nullerological vulnerabilities in your CDs:

Windows Server Updates versus Zerologon

Since Microsoft no longer supports Windows Server 2008 R2, there is no publicly available bug fix for this version of the operating system. However, if you have purchased an annual subscription to Extended Security Updates (ESU), you can download and install Update 4571729 for WS2008R2.

There is an unofficial Zerologon patch for Windows Server 2008 R2 – 0patch ( Use at your own risk.

For other versions of Windows Server, updates are available via Windows Update, WSUS, or you can download the updates manually from the Microsoft Update catalog and install the MSU update file manually.

Protection of ZeroLogon Active Directory Domain Controllers

Updates regarding the vulnerability of Zerologon were released in August 2020. To protect Active Directory, you must install the August cumulative update (or later) for your version of Windows Server on all domain controllers.

Actually, the patch is only a temporary solution.

Microsoft will implement Zerologon in two phases that will enable a smooth transition to a secure Remote Procedure Call (RPC) in Netlogon:

  • First phase (of deployment). The Augustus patch is an emergency patch designed to protect domain controllers from a known attack scenario. However, this update does not fully resolve the vulnerability (other attack scenarios on DC via Netlogon are possible). Older systems that do not support the new secure version of RPC for Netlogon can still connect to the domain controller.
  • The second phase (forced). The next update will be published on the 9th. February 2021 published. After installing this update, all domain controllers will refuse connections to the old Netlogon protocol (however, you can set exceptions for older devices via a GPO, we’ll show you how to do this below).

After installing the first patch you can find connectivity events in the domain controller logs for devices using an insecure version of Netlogon RPC. In addition, if you do not have older devices on your network, you can disable support for the older version of Netlogon RPC on your domain controllers without waiting until 2021 (using the FullSecureChannelProtection registry setting).

After the installation of the security update, connection events of computers using the vulnerable version of Netlogon are logged in the logs of the domain controllers. Note the following NETLOGON EventIDs in the Event Viewer -> Windows Logs -> System :

  • EventID 5829 – Connection to the vulnerable version of Netlogon is allowed;
  • EventID 583, 5831 – A connection to a vulnerable version of Netlogon is allowed because the device has been added to the : Allows vulnerable connections on Netlogon’s secure channel.

By February 2021, you should install the latest security updates on all detected devices. Under Windows, simply install the latest cumulative update. Ask the device/software manufacturers (OEMs) for updates for all other devices that use the Netlogon remote access protocol to connect to Active Directory.

In February a special security update will be released forcing domain controllers to use the secure version of the Netlogon protocol. At the same time, devices specified in event 5829 (which do not support the secure version of Netlogon) cannot enter the domain. You must manually add these devices to the GPO exceptions.

This means that unsupported versions of Windows (Windows XP/Windows Server 2003/Vista/2008) will work in your AD domain.

Group policy for the Nullogon

If no device in your network only supports the unsecured version of Netlogon, you can create a separate GPO to force DCs to use the secure version of Netlogon up to level 9. February 2021 (when the second update, banning connections to the insecure version of Netlogon, is released). To do this, install the following registration key via a GPO on all your DCs :

  • Registration key : HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServicesNetlogonParameters
  • Parameter type : REALLY
  • Parameter name : Full protection of secure channels .

Possible values :

  • 1 – Activates forced execution mode. DC denies connections via a vulnerable version of Netlogon. This setting does not affect accounts added to the : Allows vulnerable connections on the secure Netlogon channel (see below) ;
  • 0 – Enables the DC connections to a vulnerable version of Netlogon from non-Windows devices (this option will be depreciated during the implementation phase).

How can I allow non-Windows devices to connect to the DC via Netlogon?

A special option has appeared in the GPO to allow certain devices/accounts to use a vulnerable version of Netlogon to connect to the DC. This policy will be a : You can allow vulnerable Netlogon connections through the secure channel in Computer Configuration -> Windows Settings -> Security Settings -> Local Policies -> Security Settings.

You must create a security group in AD and add the accounts/devices that must be allowed to create a secure channel with the domain controller using the old netlogon RPC.

Enable the policy for the DC (at the default policy level of the domain controller), click Set Security and specify the group that may use the insecure netlogon protocol (Vulnerable connection -> Allow).

By enabling the reject option, you can prohibit the use of unsafe Netlogon RPCs for specific devices.

Related Tags:

samsung tab s6 lite vs s5e,beda samsung tab s6 dengan s6 lite,galaxy s6 tab lite review,galaxy tab s6 update,galaxy tab s6 6gb vs 8gb,s6 lite dex,samsung tab s6 vs s5e,tab s6 lite launch,tab s6 dan s6 lite,keyboard for samsung s6 lite,samsung s6 lite screen,galaxy tab s6 vs s7,galaxy tab s6 vs s5e,difference between s6 and s7,difference between s6 and s7 tablet,samsung galaxy s5e or s6 lite,galaxy tab a vs s6,samsung galaxy tab s6 lite costco,samsung galaxy tab s6 lite specs,samsung galaxy tab s6 lite 128gb,samsung galaxy tab s6 lite case,galaxy tab s6 lite vs s5e,samsung galaxy tab s6 lite keyboard,galaxy tab a7 vs s6 lite reddit,samsung a7 vs s6 tablet,tab a7 vs s6 lite gsmarena,tab a7 vs tab a,tab a7 review,exynos 9611 vs snapdragon 662,ipad mini 5 vs samsung tab s6,ipad air vs samsung tab s6,samsung galaxy tab s6 lite price,samsung tablet,best samsung tablet deals 2020,cheap samsung tablets nz,samsung tablet hotukdeals,samsung s5e refurbished,samsung tablet walmart,samsung tablets price list in ghana,samsung galaxy tab s6 lite,samsung galaxy tab s6 lite review,samsung galaxy tab s6 vs s6 lite,samsung galaxy tab s6 lite vs s5e,samsung galaxy tab s6 price,samsung tablet s6 lite,samsung galaxy tab s6 vs s7