A first phase patch for the critical vulnerability, tracked as CVE-2020-1472, was issued in August 2020. The first phase of the patch was intended to address the vulnerability on two fronts: blocking both Windows-based domain members and non-Windows PCs that have been configured to disable signing/encryption as well as making changes to the Netlogon protocol for clients that cannot use the required signing/encryption, says Satnam Narang, staff research engineer at the security firm Tenable.
The second patch completes the patching process for those who did not earlier implement enforcement by automatically turning on the protective measures that were included in the August 2020 patch. The second patch effectively brings all users up to the same level of security.
Guarding Against Vulnerability
While Microsoft issued a patch for the Zerologon flaw in August 2020, it s not clear if all the company s customers have applied it to their networks to address the vulnerability. So, Microsoft will begin enabling domain controller enforcement mode by default, according to the company alert. This will block vulnerable connections from non-compliant devices, Microsoft says. Domain controller enforcement mode requires that all Windows and non-Windows devices use secure [remote procedure call] with Netlogon secure channel unless customers have explicitly allowed the account to be vulnerable by adding an exception for the non-compliant device.
Domain controllers respond to authentication requests and verify users on computer networks. By enabling enforcement mode, the domain controllers will not allow Netlogon connections from devices that lack secure remote procedure call protocols unless those device accounts have been specifically added via a gro