Cisco Talos researchers report a spike in attempts to exploit the Zerologon flaw, indicating peoples are struggling to properly implement the fix. Therefore, Microsoft issued an updated patching direction that contains step-by-step instructions on how to implement the fix after the partial patch for Zerologon, which is tracked as CVE-2020-1472.
Some vulnerabilities are simply not straightforward to patch because the patch may break legitimate business processes. That is the case with this vulnerability, so step-by-step instructions are clearly necessary to successfully mitigate the vulnerability without breaking potentially business-critical apps.via BankinfoSecurity
There are 4 steps to follow to completely mitigate the flaw.
Step 1: Patch the domain controllers with an update released August 11, 2020 or later.
That includes all domain controllers in the forest, as well as read-only domain controllers.
Step 2: Monitor the even logs to find out which devices are making vulnerable connections.
Specifically, find all event ID 5829 events, which will include relevant information for identifying non-compliant devices. It’s important to monitor this specific event before the enforcement phase to avoid outages later on.
Step 3: Address non-compliant devices that make vulnerable connections.
- Confirm that the device is running a supported version of Windows.
- Ensure the device is fully updated.
- Check to ensure that Domain member: Digitally encrypt or sign secure channel data (always) is set to Enabled.
Step 4: Enable enforcement mode to address CVE-2020-1472.
Before February 9, 2021, after all non-compliant devices have been addressed, either by enabling secure RPC or by allowing vulnerable connections with the “Domain controller: Allow vulnerable Netlogon secure channel connections” group policy, set the FullSecureChannelProtection registry key to 1 in the following place:
Then, deploy updates released on February 9, 2021 or later to turn on DC enforcement mode. By that time, the registry key added above is no longer needed and will not be supported.