Secure RPC – CVE-2020-1472
You see some issues when trying to connect your file shares and get “Access Denied” error, also see events 5827 and 5828 in Domain controller Event Logs.
In your storage logs you also see error – AUTH: Domain Controller error: NetLogon error 0xc0000022: – Filer’s security information differs from domain controller
The cause of this issue is a patch which was released in two pashes and Microsoft has added these event
August 11, 2020- Initial Deployment Phase
In August, Microsoft released the first phase of a two-phase fix to force secure RPC with Netlogon.
This will flag all the no-secure RPC endpoints and will generate a warning in your event logs on domain controllers.
EventID 5829 triggers whenever a vulnerable Netlogon secure channel connection is allowed
February 9, 2021 -Enforcement Phase
The second phase activates an enforcement mode. “The DCs will now be in enforcement mode regardless of the enforcement mode registry key. This requires all Windows and non-Windows devices to use secure RPC with Netlogon secure channel or explicitly allow the account by adding an exception for the non-compliant device.
EventID 5827 and EventID 5828 trigger if vulnerable Netlogon connections are denied.
How to fix the issue –
- If the source device is Windows device, make sure the device is up-to-date and running a supported version of Windows.
- Check to ensure that Domain member: Digitally encrypt or sign secure channel data (always) is set to Enabled.
Location – Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options
- For non-Windows devices acting as a DC, these events will be logged in the system event log when using vulnerable Netlogon secure channel connections. If one of these events is logged
- Recommended – Work with the device manufacturer (OEM) or software vendor to get support for secure RPC with Netlogon secure channel
- Vulnerable If a non-compliant DC cannot support secure RPC with Netlogon secure channel before the DCs are in enforcement mode, add the DC using the “Domain controller: Allow vulnerable Netlogon secure channel connections” group policy described below.
- Allowing vulnerable connections from 3rd party devices.
Use the “Domain controller: Allow vulnerable Netlogon secure channel connections” group policy to add non-compliant accounts. This should only be considered a short-term remedy until non-compliant devices are addressed as described above. Note Allowing vulnerable connections from non-compliant devices might have unknown security impact and should be allowed with caution.
- Create a security group(s) for accounts which will be allowed to use a vulnerable Netlogon secure channel.
- In Group Policy, go to Computer Configuration > Windows Settings > Security Settings > Local Policies > Security Options
- Search for “Domain controller: Allow vulnerable Netlogon secure channel connections”.
- If the Administrator group or if any group not specifically created for use with this Group Policy is present, remove it.
- Add a security group specifically made for use with this Group Policy to the security descriptor with the “Allow” permission. Note The “Deny” permission behaves the same way as if the account was not added, i.e. the accounts will not be allowed to make vulnerable Netlogon secure channels.
- Once the security group(s) is added, the group policy must replicate to every DC.
- Periodically, monitor events 5827, 5828 and 5829 to determine which accounts are using vulnerable secure channel connections.
- Add those machine accounts to the security group(s) as needed. Best practice Use security groups in the group policy and add accounts to the group so that membership is replicated through normal AD replication. This avoids frequent group policy updates and replication delays.