Alexa metrics
Get a free account
Live Chat

Welcome to UKFast, do you have a question? Our hosting experts have the answers.

Chat Now
Sarah UKFast | Account Manager

Microsoft Netlogon Vulnerability: How to stay safe

17 September 2020 by Laura Valentine

Cybersecurity Updates Banner

On Friday 11th August Microsoft announced a phased two-part security update to address a recently identified vulnerability affecting Netlogon. The first stage of the update is underway, with the second phase expected in Q1 2021. Whilst Microsoft has known about the vulnerability since August, a Proof of Concept exploit has just been released, increasing the likelihood of the vulnerability being exploited. 

What’s the vulnerability? 

CVE-2020-1472 is an elevation of privilege vulnerability which, if exploited, could allow an attacker unauthorised administrator access to your network. The threat is present when an attacker attempts to connect to an Active Directory Server (also known as a Domain Controller) using the Netlogon Remote Protocol (MS-NRPC). Microsoft have given the vulnerability a maximum severity score of 10, making this critical.  

Am I at risk? 

The vulnerability affects all versions of the Microsoft Server Operating System and specifically targets Active Directory Servers. If you have an Active Directory Server or your servers are domain joined, you’re vulnerable to this attack unless patched.  

What steps do I need to take? 

If you have applied the security updates released on 11th August 2020 across your domain, you’re on your way to being fully protected. This update allows Active Directory Servers to protect Windows devices, however there is still a threat from non-Windows devices on your estate.  

To fully protect your domain, you will need to enforce secure RPC.  

Step 1.  

Servers following our standard update policies will have already applied the latest Windows updates, but if you don’t follow this, you’ll need to make sure your servers have updated. Microsoft have provided the KB numbers of the patches here 

A list of these updates is:  

2019: (KB4565349) – (KB4570333) – (KB4571748)   

2016: (KB4571694) – (KB4577015)   

2012 R2: (KB4571723) – (KB4578013) – (KB4577066) – (KB4571703)   

2012: (KB4571702) – (KB4577038) – (KB4571736)   

2008 R2: (KB4571719) – (KB4577051)  

(Please be aware that while this is correct at time of writing, some of these patches may be superseded by later updates.) 

Step 2. (Optional)  

Check your event logs on your Active Directory Servers for events 5827 and 5828. This will highlight any non-Windows devices still using unsecure RPC. If youd like to add an exception for these devices you can follow this Microsoft article.  

Step 3.  

To ensure your domain is fully secure youll need to enforce allowing secure RPC connections to your Active Directory Servers only. Microsoft will be rolling out these changes on 9th February 2021, however we would recommend applying this change now following this guide.  

Support 

The UKFast team is more than happy to help answer any questions you may have about this vulnerability and the required updates. Please don’t hesitate to contact our support team on 0800 923 0605.

Related posts

What is the Windows ‘PrintNightmare’ bug – and are you at risk?

5.7.2021 by Katie Lander

The key advantages of endpoint detection and response

26.5.2021 by Sophie Cornock

Understanding the evolving cyber-threat landscape

17.5.2021 by Laura Valentine



What's Hot

Top Tags

Archives

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

2006

Feed