Lepide Blog: A Guide to IT Security, Compliance and IT Operations

How to Mitigate Zerologon Attacks in Active Directory

Zerologon Attacks

On August 11, 2020, Microsoft released a security update that addressed a critical vulnerability in Active Directory. Due to its severity, it has been assigned a CVSS score of 10.0, making it one of the most critical AD vulnerabilities of all time. What makes this vulnerability particularly severe is that the only requirement for successful exploitation is the ability to establish a connection with a domain controller.

What is the Zerologon Vulnerability?

Zerologon, also known as CVE-2020-1472, is a critical vulnerability in Microsoft’s Netlogon Remote Protocol (MS-NRPC). MS-NRPC plays a vital role in authentication within Active Directory. This flaw enables an attacker to bypass authentication and obtain administrator-level privileges. By utilizing the Netlogon Remote Protocol, attackers can connect to a domain controller (DC) and modify its password without requiring any authentication, only network access.

There are known proof-of-concept (POC) exploits that are currently active, indicating that real-world attacks are highly probable in the near future. As a result, the Cybersecurity and Infrastructure Security Agency (CISA) has issued an emergency directive instructing government agencies and non-governmental organizations to patch or disable affected Windows servers.

How Do Zerologon Attacks Work?

The Zerologon vulnerability stems from the poor execution of the ComputeNetlogonCredential call. This function takes an 8-byte challenge as input and applies a cryptographic transformation using a session key. The result is an 8-byte output. However, there is a flaw in the implementation of the AES-CFB8 method, which is the only one allowed in newer Windows versions. To securely use AES-CFB8, a random initialization vector (IV) is required. Unfortunately, ComputeNetlogonCredential sets the IV to a fixed value of 16 zero bytes. This flaw results in a cryptographic weakness where encrypting zeros may produce zeros ciphertext. The likelihood of this occurring is 1 in 256. Additionally, unencrypted Netlogon sessions are not automatically rejected. When combined, these flaws enable an attacker to compromise the authentication process and impersonate a server of their choosing.

Below is a summary of the of the steps taken during a Zerologon attack:

  • Step 1: Establish an insecure Netlogon channel with a domain controller by spoofing its identity and performing a brute-force attack with an 8 zero-byte challenge and ciphertext. This requires an average of 256 attempts.
  • Step 2: Use the NetrServerPasswordSet2 call to change the password of the domain controller account in Active Directory to an empty one. This disrupts some functionality of the domain controller.
  • Step 3: Use the empty password to connect to the domain controller and extract additional hashes using the DRS protocol.
  • Step 4: Revert the domain controller password to the original one stored in the local registry to avoid detection.
  • Step 5: Employ the extracted hashes from step 3 to launch various attacks like Golden Ticket or pass the hash, using domain administrator credentials.

How Microsoft Addressed the Zerologon Attack Vulnerability

Microsoft has implemented two solutions to address this specific attack. The first solution rejects requests that have the same initial bytes, but this measure still allows for longer brute-force attacks. The second solution rejects channels that are not signed or sealed for all Windows computer accounts, effectively mitigating the attack. Although Windows Netlogon clients typically seal messages, Microsoft chose to allow unsigned sessions for non-Windows computer accounts, which theoretically leaves them vulnerable. However, Microsoft released a patch in February 2021 to address this and reject insecure sessions from non-Windows devices.

How to Mitigate Zerologon Attacks

The August Netlogon patch provides secure RPC usage for machine accounts, trust accounts, and all Windows and non-Windows DCs. It includes a new group policy that allows device accounts using vulnerable Netlogon secure channel connections. The patch also introduces a FullSecureChannelProtection registry key that enables DC enforcement mode for all machine accounts and logs events for denied or potentially denied accounts. Additionally, the patches make changes to the Netlogon protocol to protect Windows devices, log events for non-compliant devices, and offer the option to enable protection for all domain-joined devices with exceptions.

Microsoft advises taking additional steps, especially when working with non-Microsoft platforms. Simply installing the August 11 security updates on domain controllers is not enough. While the patch protects Windows devices within a network, non-Microsoft devices can still expose the domain to attacks. To address this, Microsoft started to enforce secure RPC usage for accounts on non-Windows devices from February 2021. Phase two of the enforcement began on February 9, 2021, and all Windows domain controllers now enable enforcement mode, denying vulnerable connections from non-compliant devices unless they are added to the appropriate group policy.

Event Log Analysis: After applying the August (or later) updates, it is important to check the event logs on the domain controller. Look for the following event IDs in the system event log:

  • Event IDs 5827 and 5828 indicate denied connections.
  • Event IDs 5830 and 5831 indicate allowed connections based on the “Domain controller: Allow vulnerable Netlogon secure channel connections” group policy.
  • Event ID 5829 signifies the allowance of a vulnerable Netlogon secure channel connection.

Address these events before configuring the DC enforcement mode or starting the enforcement phase (February 9, 2021). To analyze the impact, export the event logs in .evtx format using a script.

Checking for Insecure Device or Connection Issues: After updating your domain controllers, ensure to check the event logs for Netlogon events that indicate insecure device or connection issues. This will help you prepare for the enforcement phase of the update. To stay ahead, it is advisable to test and assess the impact of the upcoming Netlogon protocol change by making necessary modifications to the group policy of your domain controller right away. In February 2021, the encryption and signing of secure channel data (always) will be enabled and strictly enforced, a setting that is currently inactive.

Recommended Changes in the Group Policy of Domain Controllers: Before applying the February Netlogon patch, it is recommended to test and make necessary changes in the group policy of your domain controller now. This is because in February 2021, the setting regarding encrypting and signing secure channel data will be enabled and enforced. Currently, this setting is not enabled.

Enabling the FullSecureChannelProtection Registry Key: Alternatively, you can enable the FullSecureChannelProtection registry key to enforce the DC enforcement mode for all machine accounts. Setting the value to “1” enables enforcement mode, while setting it to “0” allows vulnerable Netlogon secure channel connections from non-Windows devices. However, this option will be deprecated in the enforcement phase release.

Adding Exceptions for Non-compliant Systems: The August update adds a group policy to patched domain controllers, allowing exceptions for non-compliant systems in secure RPC communication. If these systems fail to communicate after the enforcement in February, you can whitelist these transmissions and decide whether to accept the risk or work with your vendors to fix the issue and upgrade.

Installing the August Updates on Domain Controllers: To add exceptions, use the new group policy “Domain controller: Allow vulnerable Netlogon secure channel connections” and add them to the domain controller’s OU. The policy should include the security descriptors of the accounts that need exclusions. It is important to install the August updates on your domain controllers immediately and check for legacy systems in your event logs that may cause issues in February. Start investigating now to avoid being surprised by the impact of the mandatory enforcement in February.

How Lepide Helps

The Lepide Data Security Platform offers valuable reports that provide insights into the status and activities of domain controllers. These reports are instrumental in determining whether patches have been installed and if enforcement mode is enabled. Lepide specifically reports on the configuration of “Domain controller: Allow vulnerable Netlogon secure channel connections.” Additionally, Lepide’s solution can be used to check if a domain controller has an empty password, which serves as an indication of a potential Zerologon attack. By identifying accounts that are creating specific events, the Lepide platform is able to suggest necessary updates or exceptions. The Lepide Data Security Platform excels at detecting and responding to abnormal AD behavior, including Zerologon attacks.

If you’d like to see how the Lepide Data Security Platform can help to keep your Active Directory secure, schedule a demo with one of our engineers.