Patch Lady – make sure your domain controllers are patched

Topic

New Reply

Microsoft is seeing active attacks for the “Zerologon” exploit that could take over a domain.  Note this is not important for home users, only domain
[See the full post at: Patch Lady – make sure your domain controllers are patched]

Susan Bradley Patch Lady/Prudent patcher

1 user thanked author for this post.

woody

Reply | Quote

Replies

Just to remember, that also Samba is vulnerable. I had compiled a few pieces here:

Zerologon Exploits are used in the wild, patching (Windows Server, Samba) recommended

Ex Microsoft Windows (Insider) MVP, Microsoft Answers Community Moderator, Blogger, Book author

https://www.borncity.com/win/

2 users thanked author for this post.

wavy, woody

Reply | Quote

0patch has released a micropatch for Server 2008 R2.

Reply | Quote

Is there anything in the SEPTEMBER patches to protect domain controllers that was NOT in the AUGUST patches?  I have the August patches on my DCs, but hadn’t put the September ones on yet – DEFCON 2 and all.

Reply | Quote

August is good enough, you do not need Sept patches on there.

Susan Bradley Patch Lady/Prudent patcher

Reply | Quote

Don’t forget that patching DCs is not enough – to enable enforcement mode, you need to set a registry key as well:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Netlogon\Parameters

FullSecureChannelProtection = 1

You’ll want to do this before the February patch, which will permanently set the secure channel protection to active and will ignore that registry key.  So you’ll need to make sure there are no problems on the domain before then.

Reply | Quote

Is that registry setting read only at startup?  Meaning, do you have to reboot the DCs after making that change?  Thanks!

Reply | Quote

According to the MS article, they mark the reboot as not needed.  I haven’t tested personally.

Reply | Quote

You don’t want to just blindly set that registry key after installing the August updates. You first need to observe the logs for a period of time and determine if you have some devices that are not able to use Secure RPC and add them to the exception group (or remediate them so that they are compliant).

This article explains the process:

https://support.microsoft.com/en-us/help/4557222/how-to-manage-the-changes-in-netlogon-secure-channel-connections-assoc

 

Reply | Quote

That article and this advisory were “clarified” today:

09/28/2020 Updated FAQ to announce that How to manage the changes in Netlogon secure channel connections associated with CVE-2020-1472 (https://support.microsoft.com/kb/4557222) has been updated to provide clarity on new questions and to reinforce actions customers need to take to ensure they are protected.

CVE-2020-1472 | Netlogon Elevation of Privilege Vulnerability

Reply | Quote