Microsoft warns admins that Netlogon Domain Controller Enforcement Mode will be enabled by default soon

In a post on the Microsoft Security Response Centre Microsoft has warned network admins that a coming Windows Security Update will soon mean that Domain Controller enforcement mode will be enabled by default.

The move is to address a critical remote code exploit in the Netlogon protocol (CVE-2020-1472) where an attacker can establish a vulnerable Netlogon secure channel connection to a domain controller, using the Netlogon Remote Protocol (MS-NRPC). An attacker who successfully exploited the vulnerability could run a specially crafted application on a device on the network.

Following the update, devices will only connect using secure RPC with Netlogon secure channel unless customers have explicitly allowed the account to be vulnerable by adding an exception for the non-compliant device.? This will block vulnerable connections from non-compliant devices

What to do

To prepare network admins need to:

• UPDATE their Domain Controllers with an update released August 11, 2020 or later.
• FIND which devices are making vulnerable connections by monitoring event logs.
• ADDRESS non-compliant devices making vulnerable connections.
• ENABLE Domain Controller enforcement mode to address CVE-2020-1472 in your environment.

Admins should review the updated FAQs guidance from August to provide further clarity on this upcoming change.

The security update which makes the switch to Domain Controller enforcement mode will be rolling out on the next Patch Tuesday, the 9th February 2021.

Read more about the changes at Microsoft here.