Zerologon made its way into our collective awareness in late September 2020, when it was revealed that hackers were actively targeting the vulnerability. While the complete patch was made available this month, on February 9th, 2021, both Microsoft and the U.S. Cybersecurity and Infrastructure Security Agency (CISA) have encouraged companies to use the available partial patch – but many end-users procrastinated, or did not implement the partial patch at all. The reason for a partial patch? The patch, though rolled out by Microsoft in August 2020, was incomplete because the Zerologon flaw is at the protocol level; when protocols are changed without full awareness, network issues can arise.
Now that we have some perspective on the vulnerability, it’s important to review and understand what we can learn from it. Zerologon is by no means a small vulnerability — the CISA has only ever issued a handful of emergency directives. In addition, the flaw was given the maximum severity rating of 10 by the industry-standard Common Vulnerability Scoring System (CVSS).
Here are several things organizations should know about Zerologon, and takeaways they should incorporate and keep in mind for future potential vulnerabilities.
The Need To Know
Zerologon is a critical vulnerability in the Windows Netlogon Remote Protocol (MS-NRPC) that, when exploited, allows a hacker to impersonate any computer, including the root domain controller. Netlogon is a core authentication component of Active Directory, which means it basically provides a secure channel between computers and domain controllers.
Active Directory administrative access is no joke, as it can grant attackers elevated access to primary business applications. With that access, an attacker could modify a group policy to deliver a payload that can be pushed to every Windows computer in someone’s network. Since many ransomware attacks deliver a payload that executes all at once across a network, without any chance to stop it, so this must be taken seriously.
Through Zerologon, Active Directory Group Policy can also be used to infect endpoints, reconfigure security and take control of Active Directory via an unguarded part of the network. Group Policy is specifically a target because it is part of every Active Directory, provides access to control over every system and enables the ability to accomplish almost any task. All of this means that if an attacker is successful in exploiting the flaw, they can do just about anything they want in an IT environment.
Not As Simple As A Patch Fix
While we have the full patch now, which everyone should deploy, Active Directory admins can still expect lingering headaches from Zerologon. Right now, it is critical to make sure every single domain controller is updated to ensure IT infrastructures are secure. Admins must also be aware, though, that cybercriminals who already gained access to the network can escalate their privileges and complete their attack.
As IT is implementing the Zerologon patch, organizations must also disable the default Printer Spooler Service on their domain controllers, as these can be used via Zerologon or other known exploits. In addition, they must verify that there is a backup and recovery solution for their Active Directory should the company be compromised or fall victim to a ransomware attack that affects Active Directory.
To work around the security issue for third-party devices, domain controllers need to be in enforcement mode for all machine accounts using the new FullSecureChannelProtection registry key. This will ensure domain controllers aren’t vulnerable to Netlogon secure channel connections.
However, even with this measure in place, organizations should expect Zerologon to be an ongoing pain point for admins and cybersecurity teams this year. One reason is the slow (or nonexistent) rollout of the partial patch; coupled with the availability of the full patch, IT pros have their hands full.
On top of this, implementing the patch and activating enforcement mode can break legitimate business processes or critical applications (most likely older ones). If an organization has machine accounts relying on vulnerable Netlogon connections, blocking those connections will disrupt the processes dependent on them. To prevent this, IT can make temporary exceptions to enforcement mode for any non-compliant devices that must continue being used.
Keep in mind though, this means some vulnerable connections are deliberately left open — any device in the “allow” list will use those vulnerable connections, and that could expose your environment to the Zerologon attack, Microsoft says.
Once the full patch is implemented, be aware that enforcement mode will be enabled on all Windows domain controllers and IT will not have the ability to disable it. Organizations should be moving away from relying on non-compliant devices anyway, or, at least, add them to the Group Policy allow list and accept the associated risk.
Clearly, patching is critical, but it’s just as important to keep up with patching. More than that, changes and other network activity should be closely monitored, no matter what, and if devices are put on an allow list, there must be continuous auditing in place. That way, if an account accesses services and objects that it doesn’t normally use, the most important Active Directory objects can be locked down.