On Friday 11th August Microsoft announced a phased two-part security update to address a recently identified vulnerability affecting Netlogon. The first stage of the update is underway, with the second phase expected in Q1 2021. Whilst Microsoft has known about the vulnerability since August, a Proof of Concept exploit has just been released, increasing the likelihood of the vulnerability being exploited.
CVE-2020-1472 is an elevation of privilege vulnerability which, if exploited, could allow an attacker unauthorised administrator access to your network. The threat is present when an attacker attempts to connect to an Active Directory Server (also known as a Domain Controller) using the Netlogon Remote Protocol (MS-NRPC). Microsoft have given the vulnerability a maximum severity score of 10, making this critical.
The vulnerability affects all versions of the Microsoft Server Operating System and specifically targets Active Directory Servers. If you have an Active Directory Server or your servers are domain joined, you’re vulnerable to this attack unless patched.
If you have applied the security updates released on 11th August 2020 across your domain, you’re on your way to being fully protected. This update allows Active Directory Servers to protect Windows devices, however there is still a threat from non-Windows devices on your estate.
To fully protect your domain, you will need to enforce secure RPC.
Servers following our standard update policies will have already applied the latest Windows updates, but if you don’t follow this, you’ll need to make sure your servers have updated. Microsoft have provided the KB numbers of the patches here.
A list of these updates is:
Check your event logs on your Active Directory Servers for events 5827 and 5828. This will highlight any non-Windows devices still using unsecure RPC. If you’d like to add an exception for these devices you can follow this Microsoft article.
To ensure your domain is fully secure you’ll need to enforce allowing secure RPC connections to your Active Directory Servers only. Microsoft will be rolling out these changes on 9th February 2021, however we would recommend applying this change now following this guide.
The UKFast team is more than happy to help answer any questions you may have about this vulnerability and the required updates. Please don’t hesitate to contact our support team on 0800 923 0605.