Microsoft Implements Windows Zerologon Flaw ‘Enforcement Mode’

microsoft zerologon flaw

Starting Feb. 9, Microsoft will enable Domain Controller “enforcement mode” by default to address CVE-2020-1472.

Microsoft is taking matters into its own hands when it comes to companies that haven’t yet updated their systems to address the critical Zerologon flaw. The tech giant will soon by default block vulnerable connections on devices that could be used to exploit the flaw.

Starting Feb. 9, Microsoft said it will enable domain controller “enforcement mode” by default, a measure that would help mitigate the threat.

Microsoft Active Directory domain controllers are at the heart of the Zerologon vulnerability. Domain controllers  respond to authentication requests and verify users on computer networks. A successful exploit of the flaw allows unauthenticated attackers with network access to domain controllers to completely compromise all Active Directory identity services.

Supply-Chain Security: A 10-Point Audit

Click to Register – New Browser Tab Opens

Domain Controller enforcement mode “will block vulnerable connections from non-compliant devices,” said Aanchal Gupta, VP of engineering with Microsoft in a Thursday post.  “DC enforcement mode requires that all Windows and non-Windows devices use secure RPC with Netlogon secure channel unless customers have explicitly allowed the account to be vulnerable by adding an exception for the non-compliant device.”

Secure RPC is an authentication method that authenticates both the host and the user who is making a request for a service.

This new implementation is an attempt to block cybercriminals from gaining network access to domain controllers, which they can utilize to exploit the Zerologon privilege-escalation glitch (CVE-2020-1472). The flaw, with a critical-severity CVSS score of 10 out of 10, was first addressed in Microsoft’s August 2020 security updates.  But starting in September, at least four public Proof-of-Concept (PoC) exploits for the flaw were released on Github, along with technical details of the vulnerability.

The enforcement mode “is a welcome move because it is such a potentially damaging vulnerability that could be used to hijack full Domain Admin privileges – the ‘Crown Jewels’ of any network providing an attacker with God-mode for the Windows server network,” Mark Kedgley, CTO at New Net Technologies (NNT), told Threatpost. “By defaulting this setting it is clear that it is seen as too dangerous to leave open. [The] message to everyone is to patch often and regularly and ensure your secure configuration build standard is up to date with the latest [Center for Internet Security] or [Security Technical Implementation Guide] recommendations.”

Zerologon has grown more serious over the past few months as several threat actors and advanced persistent threat (APT) groups closed in on the flaw, including cybercriminals like the China-backed APT Cicada and the MERCURY APT group.

“Reported attacks began occurring within just two weeks of the vulnerability being disclosed,” Ivan Righi, cyber threat intelligence analyst at Digital Shadows, told Threatpost. “APT10 (aka Cicada, Stone Panda, and Cloud Hoppe) was also observed leveraging Zerologon to target Japanese companies in November 2020.”

The U.S. government has also stepped in to rally organizations to update after the publication of the exploits, with the DHS issuing a rare emergency directive that ordered federal agencies to patch their Windows Servers against the flaw by Sept. 21.

Gupta for his part said that organizations can take four steps to avoid the serious flaw: Updating their domain controllers to an update released Aug. 11, 2020, or later; find which devices are making vulnerable connections (via monitoring log events); addressing those non-compliant devices making the vulnerable connections; and enabling domain controller enforcement.

“Considering the severity of the vulnerability, it is advised that all Domain Controllers be updated with the latest security patch as soon as possible,” Righi told Threatpost.

Supply-Chain Security: A 10-Point Audit Webinar: Is your company’s software supply-chain prepared for an attack? On Wed., Jan. 20 at 2p.m. ET, start identifying weaknesses in your supply-chain with actionable advice from experts – part of a limited-engagement and LIVE Threatpost webinar. CISOs, AppDev and SysAdmin are invited to ask a panel of A-list cybersecurity experts how they can avoid being caught exposed in a post-SolarWinds-hack world. Attendance is limited: Register Now and reserve a spot for this exclusive Threatpost Supply-Chain Security webinar – Jan. 20, 2 p.m.

Suggested articles