Skip to content
    February 1, 2021

    Microsoft to Enable Domain Controller Enforcement Mode by Default on Feb. 9

    What Happened

    When CVE-2020-1472 was released on Aug 11, 2020, Microsoft addressed a critical remote code execution vulnerability targeting how the Netlogon secure channel is used. This patch is being released in two separate parts. On Aug 11, the patch addressed the initial deployment that covered:

    1. Fixing the vulnerability for all Windows domain-joined devices.
    2. Begin logging events for all non-compliant devices.
    3. Introduced the option to enable protection for all domain-joined devices as well as explicit exceptions via group policy.

    The second half of this deployment will take place beginning with the February 9 security update. During this update, the DC (domain controller) enforcement mode will be enabled by default on all devices.

    What That Means

    The Remote Code Execution category of vulnerabilities are almost always critical priority, especially those that need no authentication. The Netlogon Remote Protocol (MS-NRPC) is used by AD (Active Directory) domains and includes an authentication method as well as the ability to create a Netlogon secure channel. The exploit takes advantage of this authentication and allows the escalation of privileges. The attacker can impersonate the machine account and set a known or empty password for the account.

    This attack can be used to obtain full domain administrator privileges, specifically with the spoofing of the domain controller computer account, leading to a full compromise of the domain. There are several proof of concepts out for this attack currently.

    What You Should Do

    There are four steps recommended by Microsoft as well as changes we’ve made to help:

    1. Update your domain controllers with the patch that was released on August 11. (And keep your DCs and all Windows hosts up to date otherwise)
    2. Find which devices are making vulnerable connections by monitoring event logs (Blumira can help with this part!!) See how we integrate with Microsoft Windows Server.
    3. Address the non-compliant devices
    4. Enable DC enforcement mode if all non-compliant devices have been addressed prior to Feb 9

    From within Blumira, as long as domain controllers are sending System event logs, you can select the global report named “Netlogon Secure Channel Connections” to see if there are any impacted devices still using the insecure channels. We’ve also created a High-Priority Risk finding called “Netlogon Secure Channel Connection Vulnerability Detected.”

    Who’s Impacted

    Any Windows Server 2012 and above devices are impacted.

    Additional Resources:

    To help organizations running Microsoft environments, our guide gives you practical, step-by-step Windows tips to significantly improve your visibility into malicious activity. Download our Guide to Microsoft Security.

    Amanda Berlin

    Amanda Berlin is Lead Incident Detection Engineer at Blumira, bringing nearly two decades of experience to her position. At Blumira she leads a team of incident detection engineers who are responsible for creating new detections based on threat intelligence and research for the Blumira platform. An accomplished...

    More from the blog

    View All Posts