The Zerologon vulnerability was recognized by Microsoft in August and a patch provided. Recently, an exploit for the vulnerability has made it into the wild. The attack is trivial in nature leaving a Windows Server 2019 Server Core domain controller vulnerable to a lowly Raspberry Pi Zero for exploit. Details on the nature of the attack method can be found on the SecuraBV website. It is critical that organizations that run Active Directory patch domain controllers as soon as possible. That being said, the patch comes with its own issues. Some legacy systems that are not using secure RPC for Netlogon and this patch will break their access to domain controllers.

The patch is actually two patches. One that was delivered in August and another that is scheduled for February 11, 2021. The first patch recognizes that the mitigation will break some clients. The August patch provides events to monitor for non-compliant devices and a group policy to allow non-compliant devices to continue to operate as they are remediated. Domain controllers can be placed into enforcement mode prior to February 2021 ensuring 100% mitigation from exploit based on Microsoft’s technical article. It is critical to patch and upgrade non-compliant devices as soon as possible. Microsoft provides details on the impact of the patch on their support website.

• Microsoft lists the following changes instituted by the August patch
• Enforces secure RPC usage for machine accounts on Windows based devices
• Enforces secure RPC usage for trust accounts
• Enforces secure RPC usage for all Windows and non-Windows DCs
• Includes a new group policy to allow non-compliant device accounts (those that use vulnerable Netlogon secure channel connections). Even when DCs are running in enforcement mode or after the Enforcement phase starts, allowed devices will not be refused connection
• FullSecureChannelProtection registry key to enable DC enforcement mode for all machine
  accounts (enforcement phase will update DCs to DC enforcement mode)
• Includes new events when accounts are denied or would be denied in the DC enforcement mode
  (and will continue in the Enforcement phase)

Microsoft recommends that all domain controllers receive the August patch and monitor for the newly created events. The goal for the event monitoring is to identify clients that do not support or are not set to secure RPC for Netlogon. Systems that currently do not meet this standard will need to be whitelisted until remediation occurs.

If you are using Event Forwarding in your environment, the following Event Log Subscription will collect these events from domain controllers. Remember these events are only triggered after the August patch is applied.

In February 2021, Microsoft will release the patch that will enforce secure RPC for Netlogon. Domain controllers will no longer allow vulnerable Netlogon secure channel connections from non-Windows devices. At this point, the group policy will be the only solution for legacy clients. All efforts should be made to identify, remediate, or apply policy to legacy clients to prevent outages in February 2021.