The Zerologon vulnerability gained spotlight around late September 2020. By then, Microsoft had already released a partial patch for the flaw. However, most Active Directory admins chose to ignore the incomplete patch fearing it might cause network issues, despite it being recommended by Microsoft and the the U.S. Cybersecurity and Infrastructure Security Agency (CISA).
If you weren’t aware of the partial patch, there’s not much to worry. Microsoft released the complete patch recently on Feb 9th, 2021.
Organizations need to take Zerologon seriously because, one, the CISA doesn’t issue emergency directives unless it’s a high-risk vulnerability and two, it was given the maximum severity rating of 10 by the industry standard- Common Vulnerability Scoring System (CVSS).
A closer look
Zerologon is a critical flaw in the Windows Netlogon Remote Protocol (MS-NRPC). Since Netlogon is a key authentication component in AD, affecting it would prove disastrous for the entire AD setup in place.
By exploiting the flaw, an attacker can impersonate any computer in the network, including the root domain controller.
What’s the worst that can happen?
Using the flaw, an attacker can not only gain access to all business-critical applications but also play around with the Group Policy settings.
One can push malicious payloads to all Windows computers in the network, take control of endpoints and even reconfigure security controls in place.
Basically, a nightmare for IT, especially AD admins.
Hence you should deploy the full patch asap and ensure all domain controllers (DCs) are updated.
While rolling out the patch:
- Disable the Printer Spooler service in the respective DCs as they can still be accessed via Zerologon or other exploits.
- Put DCs in enforcement mode for all machine accounts using the new FullSecureChannelProtection registry key. You can make temporary exceptions for any non-compliant device that is business-critical. However Microsoft says any device in the ‘allow list’ could expose the organization’s environment to the vulnerability. So it’s on you to gauge the risk and make necessary exceptions.
Also, note that once enforcement mode is enabled for the Windows DCs, it can’t be rolled back.
Which means, if you have quite a few non-compliant devices, you should either discard them or add them to the Group Policy ‘allow list’. Finally, ensure you lookout of for further patches and closely monitor the network for any suspicious activity, especially the devices that you’ve added to the ‘allow list’.
