Microsoft engineers outlined a way to find vulnerable Netlogon channel connections for organizations using newer Windows Server systems.
These connections will get blocked in February if Netlogon clients aren’t upgraded beforehand. The details are described in a Thursday announcement by Jon Shectman, a Microsoft Premier field engineer specializing in security issues and fellow security Premier Field Engineer Brian Delaney. This Netlogon security issue affects organizations running Windows Server 2019 or Windows Server 2016.
Microsoft’s solution for finding vulnerable Netlogon connections depends on using Azure Sentinel, which is Microsoft’s cloud-based security information event management (SIEM) solution. Azure Sentinel pricing has a pay-for-use model, based on the capacity processed per day, although there’s a free trial, per Microsoft’s pricing page.
Netlogon is used for “user and machine authentication on domain-based networks,” per Microsoft’s definition, but it has a security vulnerability associated with Windows Server 2019 or Windows Server 2016 systems that was described earlier this month during “update Tuesday,” which is Microsoft monthly security patch release event.
On Aug. 11 (update Tuesday), Microsoft kicked off a two-phase patch process for Netlogon in those servers to address a “Critical”-rated elevation-of-privilege vulnerability (CVE-2020-1472). Microsoft’s Aug. 11 patch provided initial protection, but Microsoft plans to deliver another patch in February that will activate a “secure Remote ProtoCol (RPC).”
Organizations running Windows Server 2019 or Windows Server 2016 will need to have updated their Netlogon clients before that time to avoid an issue where devices will get denied access. It turns out that the patch activating secure RPC will arrive on Feb. 9, 2021 (update Tuesday for that month), which is billed as the “enforcement” date by Microsoft.
Microsoft’s solution to finding Netlogon clients that need updating before the Feb. 9, 2021 enforcement date is to use the Insecure Protocols Workbook in Azure Sentinel, as outlined in the announcement.
“Once you know where to look, you’ll need to upgrade all Netlogon clients,” Microsoft’s announcement indicated, without explaining how to do the upgrading. It’s still possible to get thrown by insecure connections with “Realm trusts,” though, which “may require more planning to remediate,” the announcement added.
Possibly, Microsoft will ease the detection process somewhat when using the Insecure Protocols Workbook by updating it with the associated Netlogon event IDs. At least, that idea was thought to be a good one by Shectman in this Twitter exchange.
Reference: https://redmondmag.com/articles/2020/08/28/azure-sentinel-solution-for-netlogon.aspx
