Microsoft today warned administrators that updates addressing the Windows Zerologon vulnerability will move into the application phase starting next month.
Zerologon is a 10/10 rated CVE-2020-1472 critical security vulnerability that, when successfully exploited, allows attackers to elevate privileges to the domain administrator and take control of the domain.
“We remind our customers that starting with the security update of February 9, 2021, we will enable domain controller enforcement mode by default,” said MSRC vice president of engineering Aanchal Gupta .
“DC Enforcement Mode requires all Windows and non-Windows devices to use secure RPC with the Netlogon secure channel, unless customers have explicitly allowed the account to be vulnerable by adding an exception for the non-compliant device.”
Patch deployment details
The hotfix released as part of the August 2020 Patch Tuesday updates enables secure remote procedure call (RPC) communication for computer accounts on Windows devices, trusted accounts, as well as all Windows and non-Windows domain controllers.
It also registers all non-compliant devices in the environment so that system administrators can troubleshoot or replace them before the application phase.
With the February 2021 updates, Microsoft will automatically begin enforcing secure RPC communications for all devices on the network and will no longer log non-compliant machines.
Microsoft also clarified the steps to take to protect its devices from Zerologon attacks after customers found the original instructions confusing.
The update plan described by Microsoft involves doing the following:
- UPDATE your domain controllers with an update released on August 11, 2020 or later.
- FIND which devices are making vulnerable connections by monitoring event logs.
- ADDRESS noncompliant devices making vulnerable connections.
- ENABLE the application mode to process CVE-2020-1472 in your environment.
Shortly after news of a Zerologon patch was released in August 2020, researchers released ZeroLogon proof of concept exploits that allowed attackers to gain easy access to a domain controller.
With the release of the public exploits, Microsoft warned that threat actors quickly embraced them and started exploiting ZeroLogon in attacks.
A month later, Microsoft also added support for Zerologon exploit detection to Microsoft Defender for Identity, allowing security teams to detect on-premises attacks that attempt to abuse this critical vulnerability.
“Organizations that deploy Microsoft Defender for Identity (formerly Azure Advanced Threat Protection) or Microsoft 365 Defender (formerly Microsoft Threat Protection) are able to detect adversaries when they attempt to exploit this specific vulnerability against their domain controllers,” said Gupta said.