Microsoft Taking Additional Steps to Address Zerologon FlawCompany Will Enforce Domain Controller Settings to Block Connections
Microsoft is alerting customers that starting Feb. 9, it will enforce domain controller settings within Active Directory to block connections that could exploit the unpatched Zerologon vulnerability in Windows Server.
The software giant, along with the U.S. Cybersecurity and Infrastructure Security Agency, has been warning about the urgency of patching the Zerologon vulnerability, which is tracked as CVE-2020-1472, for months.
The flaw affects Windows Server's Netlogon Remote Protocol, or MS-NRPC - an authentication component of Active Directory that organizations deploy to manage user accounts, including authentication and access (see: Microsoft Issues Updated Patching Directions for 'Zerologon').
The Zerologon vulnerability was given a CVSS score of 10 - the most critical.
Guarding Against Vulnerability
While Microsoft issued a patch for the Zerologon flaw in August 2020, it's not clear if all the company's customers have applied it to their networks to address the vulnerability. So, Microsoft will begin enabling domain controller enforcement mode by default, according to the company alert.
"This will block vulnerable connections from non-compliant devices," Microsoft says. "Domain controller enforcement mode requires that all Windows and non-Windows devices use secure [remote procedure call] with Netlogon secure channel unless customers have explicitly allowed the account to be vulnerable by adding an exception for the non-compliant device."
Domain controllers respond to authentication requests and verify users on computer networks. By enabling enforcement mode, the domain controllers will not allow Netlogon connections from devices that lack secure remote procedure call protocols unless those device accounts have been specifically added via a group policy, according to Microsoft.
Hacking groups have been attempting to exploit Zerologon since it was first disclosed in 2020. For example, Symantec researchers found a Chinese hacking group attempting to use the bug to target organizations in Japan (see: Chinese Hackers Exploit Zerologon Flaw for Cyberespionage).
In October 2020, CISA reported that hackers were chaining Zerologon with other vulnerabilities to attack targets (see: Hackers Chaining 'Zerologon,' Other Vulnerabilities).
An Essential Step
Some security experts say Microsoft is taking the right step to ensure that customers' networks remain safe even if they haven't applied the patch.
"Microsoft seems to expect that patching all devices out there will take a substantial amount of time, so it takes this backup approach to mitigate the risk for its customers," says Dirk Schrader, global vice president at security firm New Net Technologies. "The difficulty for those customers, given the pandemic situation of working from home, is to find and patch all vulnerable devices. It is time to scan and check all devices, monitor them for unwanted changes, to find and patch as quickly as possible."
Jigar Shah, vice president of security firm Valtix, notes that Active Directory remains important to companies that rely on cloud platforms, such as Azure. So, they want to be assured that their infrastructure is secure even if that requires Microsoft to force the issue.
"Active Directory domain controllers are still fundamental to enterprise apps in public clouds,” Shah says. “And the battle is to continuously and automatically do virtual patching until software vendors roll out patches that can be deployed, something that often takes weeks and months. Until the Microsoft patch is deployed, security administrators want to quickly, in real time, find out which vulnerable systems might be compromised."