Microsoft continues to roll out changes to mitigate the Zerologon vulnerability and a change due in the February Patch Tuesday could break non-Windows device’s ability to connect to the domain.
The Zerologon vulnerability is a flaw in the Microsoft NetLogon protocol. Tracked as CVE-2020-1472 the vulnerability allows an unauthenticated user to change passwords on the Domain Controller and then leverage that access to take over the whole domain.
Microsoft issued a security patch in August to resolve the issue for Windows devices connecting to the domain controller. However non-windows devices were able to continue to connect using the insecure legacy methods and this was recorded in new events in the windows event logs to allow these devices to be identified and updated.
Microsoft published a simple roadmap to full remediation:
- UPDATE your Domain Controllers with an update released August 11, 2020 or later.
- FIND which devices are making vulnerable connections by monitoring event logs.
- ADDRESS non-compliant devices making vulnerable connections.
- ENABLE Domain Controller enforcement mode to address CVE-2020-1472 in your environment.
In the February security patch Tuesday release (due 9th February 2021) Microsoft will enable by default the Domain Controller enforcement mode to address the ZeroLogon vulnerability. This means any non-windows devices that have not been updated will be unable to connect to the Domain Controller possibly resulting in errors and processing failures.