Microsoft is starting the second phase of its fix for the Zerologon vulnerability. In this phase, the “domain controller enforcement mode” is automatically and permanently enabled. Here is what this mode does and what companies can do to prepare for it.
February 9, 2021, is an important date for businesses that are using domain controllers (DCs) in their Windows domains. This day marks the start of the second phase of Microsoft’s fix for a critical vulnerability in the Microsoft Netlogon Remote Protocol. This protocol is used to secure communications between DCs and other devices in Windows domains. Cybercriminals can gain control of the devices by exploiting the protocol’s vulnerability, which has been dubbed Zerologon.
When Microsoft learned of the Zerologon vulnerability, it began implementing a two-phase fix. In the first phase, it released updates on August 11, 2020, to patch the Zerologon flaw on DCs and other devices. The updates also provided several tools that businesses could use to prepare for the second phase.
In the second phase, Microsoft will be rolling out additional updates on February 9, 2021, that will enable the “domain controller enforcement mode” by default. Here is what this mode does and how to prepare for it.
What the Enforcement Mode Does
The enforcement mode is designed to block vulnerable Netlogon connections. It requires that all Windows and third-party DCs and other devices use secure remote procedure calls when using a Netlogon secure channel. Devices that do not meet this criterion are not allowed to connect to other devices. The only way around this requirement is to add an exception for each non-compliant device to the “Domain controller: Allow vulnerable Netlogon secure channel connections” group policy.
The enforcement mode isn’t new. It was rolled out and available for use in the first phase. However, it was turned off by default. Companies could enable and disable the mode as desired by changing the value of a registry key.
The February 9 updates will automatically enable the enforcement mode — and businesses won’t be able to disable it in the registry. The only way to stop the mode from being permanently enabled is to not install the February 9 updates. This leaves companies with several options, some of which are not recommended:
Although there are technically three options, the only practical choice is to install both sets of updates if businesses want to adequately secure their Windows domains. If needed, companies can temporarily postpone the installation of the February 9 updates so they can prepare for the permanent enablement of the enforcement mode.
How to Prepare for the Enforcement Mode
Microsoft recommends that businesses take the following steps to prepare for the enforcement mode that will be automatically enabled by the February 9, 2021, updates:
Are Your DCs at Risk?
The Zerologon vulnerability affects machines running Windows Server 2019, Windows Server 2016, and older Windows Server versions when they assume the DC role. Third-party servers can also be affected if they use the Microsoft Netlogon Remote Protocol.
We can help you determine whether your DCs are at risk from the Zerologon vulnerability. If they are affected, we will take the necessary steps to secure them so your domain and your business are protected.