Microsoft Introduces Windows Zerologon Flaw ‘Enforcement Mode'

In a blog on January 14, Aanchal Gupta, VP Engineering, MSRC addressed a Critical RCE vulnerability affecting the Netlogon protocol (CVE-2020-1472), which was first patched on August 11, 2020. This new notification was to remind customers that beginning with the February 9, 2021 Security Update release Microsoft will be enabling Domain Controller enforcement mode by default.


The cybersecurity community discussed what this means for active directory domain controller security.


Jigar Shah, Vice President at Valtix, a Santa Clara, Calif.-based provider of cloud native network security services:

“Even in the cloud-first era, Active Directory Domain Controllers are still fundamental to enterprise apps in public clouds. And the battle is to continuously and automatically do virtual patching until software vendors roll out patches that can be deployed, something that often takes weeks and months. Until the Microsoft patch is deployed, security administrators want to quickly, in real-time, find out which vulnerable systems might be compromised. We’re seeing organizations ask more and more for creating custom IPS signatures and leverage the large open source community’s contributions which is much faster than any security vendor.”

Ivan Righi, Cyber Threat Intelligence Analyst at Digital Shadows, a San Francisco-based provider of digital risk protection solutions:

“Zerologon (CVE-2020-1472) is a critical vulnerability in the Netlogon protocol that was patched on Microsoft's Patch Tuesday in September 2020. The vulnerability has been actively exploited in the wild by many cybercriminals since its disclosure. The Iranian APT MuddyWater actively exploited the flaw in cyberespionage campaigns, the threat group Chimborazo (TA505) took advantage of the flaw in financially motivated attacks, and the operators of the Ryuk ransomware variant used the vulnerability to launch extortion-based attacks. Reported attacks began occurring within just two weeks of the vulnerability being disclosed. APT10 (aka Cicada, Stone Panda, and Cloud Hoppe) was also observed leveraging ZeroLogon to target Japanese companies in November 2020.

Considering the severity of the vulnerability, it is advised that all Domain Controllers be updated with the latest security patch as soon as possible. Microsoft stated that beginning on 09 Feb 2021, Domain Controller enforcement mode will be enabled by default as a preventative measure to ensure systems are updated and protected against this vulnerability. This will reject all attempted connections using the old Netlogon protocol, although exclusion could still be set for legacy devices.”

Terence Jackson, Chief Information Security Officer at Thycotic, a Washington D.C. based provider of privileged access management (PAM) solutions:

“This is good example of a security vendor recognizing an issue and implementing a solution to enable security by default to protect a critical attack vector in its customers environments.”

Dirk Schrader, Global Vice President at New Net Technologies (NNT), a Naples, Florida-based provider of cybersecurity and compliance software:

“This measure taken by Microsoft is a testament to the severity of the Zerologon vulnerability. Microsoft seems to expect that patching all device out there will take a substantial amount of time, so it takes this backup approach to mitigate the risk for its customers. The difficulty for those customers, given the pandemic situation of working from home, is to find and patch all vulnerable devices. It is time to scan and check all devices, monitor them for unwanted changes, to find and patch as quickly as possible.”


###