Microsoft second-phase "Zerologon" patch kicks in this week

Microsoft is rolling out the second phase of its mitigation against the Zerologon vulnerability in its Netlogon Remote Protocol (NRP), and is warning administrators to be ready for an irreversible change that could lock out non-compliant devices from Active Directory.

From this week, enforcement mode will be switched on by default for NRP.

This enables Secure NRP calls for communications between Active Directory and devices.

It avoids the Zerologon vulnerability that Microsoft warns is more likely to be exploited on unpatched servers.

Dutch security researcher Tom Vervoort discovered the serious Zerologon privilege escalation flaw last year, which rates the maximum 10 out of 10 on the Common Vulnerability Scoring System.

A proof of concept for the CVE-2020-1472 vulnerability that allows attackers to easily obtain domain administrator privileges was released by another security researcher, Dirk-jan Mollenma, in September 2020.

Now, Microsoft says administrators have to take action to protect their environments and to prevent outages.

Apart from updating domain controllers with the initial August 11 2020 and later patches, administrators should monitor event logs to discover which devices attempt to make vulnerable connections.

Such devices need to be addressed as vulnerable connections from them to Active Directory will be blocked on Windows domain controllers from this week.

Enforcement mode cannot be disabled either to continue to allow non-compliant devices to connect to domain controllers.

Customers running the older Windows Server 2008 Release 2 operating system with Service Pack 1 applied need an Extended Security Update (ESU) license to install updates for the Netlogon vulnerability.