The critical Windows Zerologon vulnerability (CVE-2020-1472) was patched by Microsoft on August Patch Tuesday; however, despite the seriousness of the vulnerability – rated 10/10 for severity – there are still some organizations that have yet to apply the patch.
Microsoft has now announced that from February 9, 2021 it will be enabling domain controller enforcement mode by default, which will help to ensure that the threat of exploitation is mitigated. The Zerologon flaw is being actively exploited to gain access to computer networks. According to CISA, an exploit for the flaw was publicly available on September 14 and the following day the exploit was used in an attack a healthcare company. In October, Microsoft issues an alert urging organizations to apply the patch due to ongoing attacks exploiting the flaw. Several APT groups had been observed exploiting the flaw.
The Zerologon flaw is as serious as they come. Domain controllers respond to authentication requests and verify users on the network. If the flaw is exploited, an attacker will be authenticated on the network and would be able to compromise all Active Directory identity services.
Domain controller enforcement mode blocks vulnerable connections from non-compliant devices. “DC enforcement mode requires that all Windows and non-Windows devices use secure RPC with Netlogon secure channel unless customers have explicitly allowed the account to be vulnerable by adding an exception for the non-compliant device,” explained Aanchal Gupta, Microsoft VP of engineering. Secure RPC authenticates the host and the user that makes a request for a service.
Microsoft has advised all organizations to take four steps to protect against attacks exploiting the Zerologon vulnerability. First, it is important to update all domain controllers and ensure the latest security patch is applied. Next, Microsoft recommends finding which devices are making vulnerable connections by monitoring event logs. Any non-compliant devices making vulnerable connections should be addressed, then domain controller enforcement should be enabled.