Microsoft today warned entry that updates addressing the Windows Zerologon vulnerability will be transitioned to the enforcement phase starting next month.
Zerologon is a critical rating rated security flaw tracked as CVE-2020-1472, which when used successfully enables attackers to extend privileges to the domain administrator and take control of the domain.
“We are reminding our customers that in the Security Update release starting February 9, 2021, we will enable the domain controller enforcement mode by default,” said Anchal Gupta, MSRC’s Engineering.
“DC enforcement mode requires that all Windows and non-Windows devices use secure RPCs with the Bretson secure channel as long as customers have added an exception to non-compliant devices allowing the account to be explicitly insecure Have not been given
Patch deployment details
The patch released as part of the August 2020 Patch Tuesday update enables secure remote procedure call (RPC) communication for Windows devices, trust accounts, as well as machine accounts on all Windows and non-Windows domain controllers.
It also adds any non-compliant devices to the environment so that system administrators address their issues or replace them before the enforcement phase.
With the February 2021 update, Microsoft will automatically begin implementing secure RPC communications for all devices on the network and will no longer log non-compliant machines.
Microsoft has also clarified the steps necessary to protect its devices against Zerologon attacks after confusing the original guidance to customers.
The update plan outlined by Microsoft involves going through the following process:
- Update your domain controllers with update August 11, 2020 or later.
- By monitoring the event log which devices are making insecure connections.
- Non-compliant devices that make weak connections.
- Enable enforcement mode to address CVE-2020-1472 in your environment.
Xeroglone under attack
Soon after news about a Zerologon fix was published in August 2020, researchers published proof-of-concept ZeroLogon exploits, allowing attackers to easily gain administrative access to a domain controller.
With the release of public exploits, Microsoft warned that threatened actors quickly adopted them and began to exploit xeroglones in attacks.
A month later, Microsoft added support for Microsoft Defender for detection to detect Zerologon exploits, making it possible for security teams to detect on-premises attacks trying to misuse this critical vulnerability.
Gupta said that organizations that deploy Microsoft Defender (formerly Azure Advanced Threat Protection) or Microsoft 365 Defender (formerly Microsoft Threat Protection) for detection seek to exploit this specific vulnerability against their domain controllers.