The Enforcement Phase of the Zerologon Vulnerability Fix Is Starting

Microsoft is starting the second phase of its fix for the Zerologon vulnerability. In this phase, the “domain controller enforcement mode” is automatically and permanently enabled. Here is what this mode does and what companies can do to prepare for it.

February 9, 2021, is an important date for businesses that are using domain controllers (DCs) in their Windows domains. This day marks the start of the second phase of Microsoft’s fix for a critical vulnerability in the Microsoft Netlogon Remote Protocol. This protocol is used to secure communications between DCs and other devices in Windows domains. Cybercriminals can gain control of the devices by exploiting the protocol’s vulnerability, which has been dubbed Zerologon.

When Microsoft learned of the Zerologon vulnerability, it began implementing a two-phase fix. In the first phase, it released updates on August 11, 2020, to patch the Zerologon flaw on DCs and other devices. The updates also provided several tools that businesses could use to prepare for the second phase.

In the second phase, Microsoft will be rolling out additional updates on February 9, 2021, that will enable the “domain controller enforcement mode” by default. Here is what this mode does and how to prepare for it.

What the Enforcement Mode Does

The enforcement mode is designed to block vulnerable Netlogon connections. It requires that all Windows and third-party DCs and other devices use secure remote procedure calls when using a Netlogon secure channel. Devices that do not meet this criterion are not allowed to connect to other devices. The only way around this requirement is to add an exception for each non-compliant device to the “Domain controller: Allow vulnerable Netlogon secure channel connections” group policy.

The enforcement mode isn’t new. It was rolled out and available for use in the first phase. However, it was turned off by default. Companies could enable and disable the mode as desired by changing the value of a registry key.

The February 9 updates will automatically enable the enforcement mode — and businesses won’t be able to disable it in the registry. The only way to stop the mode from being permanently enabled is to not install the February 9 updates. This leaves companies with several options, some of which are not recommended:

• Not installing the August 22, 2020, or February 9, 2021, updates. This course of action should be avoided at all cost. Without any updates, the DCs and other devices in a Windows domain will be unpatched and open to attack. Taking this route is very risky considering that hackers are already exploiting the Zerologon flaw to infect organizations with the Ryuk ransomware and carry out other types of cyberattacks.
• Installing the August 22 but not the February 9 updates. This course of action is not recommended because it is risky. Although the August 22 updates will patch the Zerologon flaw in supported Windows devices, third-party or older Windows devices might still be making vulnerable connections. Here’s why: In the first phase, these non-compliant devices are simply flagged in the event log by default. Their vulnerable connections are still allowed, assuming that companies did not explicitly enable the enforcement mode in the registry. Cybercriminals can use these vulnerable connections to attack the domain.
• Installing both the August 22 and February 9 updates. This is the recommended route because it provides the most protection against the Zerologon flaw. Supported Windows devices will be patched. Equally important, vulnerable connections from non-compliant devices will be denied. The only exceptions are those devices that companies list in the “Domain controller: Allow vulnerable Netlogon secure channel connections” group policy. It is important to note that this group policy is designed to be a temporary fix. The end goal should be to address and remove all devices from it, according to Microsoft.

Although there are technically three options, the only practical choice is to install both sets of updates if businesses want to adequately secure their Windows domains. If needed, companies can temporarily postpone the installation of the February 9 updates so they can prepare for the permanent enablement of the enforcement mode.

How to Prepare for the Enforcement Mode

Microsoft recommends that businesses take the following steps to prepare for the enforcement mode that will be automatically enabled by the February 9, 2021, updates:

1. Make sure your DCs have the August 11, 2020, updates
2. Monitor the DCs’ event logs to find any non-compliant devices (i.e., devices that are making vulnerable Netlogon connections).
3. Determine why the non-compliant devices are making vulnerable connections and address the issues. For example, if a device is making vulnerable connections because it is running an older version of Windows, update that device to a supported Windows version. Similarly, if a third-party device does not support secure remote procedure calls when using a Netlogon secure channel, replace the device or list it in the “Domain controller: Allow vulnerable Netlogon secure channel connections” group policy.
4. Enable the enforcement mode. After all the non-compliant device issues are addressed, enable the enforcement mode in the registry and make sure that no Netlogon connections are being denied. If there is a denied connection, disable the enforcement mode in the registry and repeat steps 2 through 4. Once all the Netlogon connections were allowed, you are ready to install the February 9 updates.

Are Your DCs at Risk?

The Zerologon vulnerability affects machines running Windows Server 2019, Windows Server 2016, and older Windows Server versions when they assume the DC role. Third-party servers can also be affected if they use the Microsoft Netlogon Remote Protocol.

We can help you determine whether your DCs are at risk from the Zerologon vulnerability. If they are affected, we will take the necessary steps to secure them so your domain and your business are protected.

Prevent hacking flickr photo by Infosec Images shared under a Creative Commons (BY) license