By Need

By Industry

By Function

Cybersecurity & Risk Management

As of Feb 9th Microsoft Enforces Secure RPC with Netlogon Secure Channel–What Does that Mean?

By Randy Becker, CISO & VP, Network and Security Consulting

On February 9th, Microsoft moved into the second phase of enforcing CVE 2020-1472. This affects companies that are still using legacy unsupported Microsoft operating systems. Will Microsoft finally get closer to closing the vulnerability down? How may customers are affected by this?


As Microsoft announced earlier this month, any organizations with supported versions of Windows Server that are used as a Domain Controller will no longer allow unsupported versions of Windows (Server and Workstation) to communicate with the Domain Controllers unless specific action is taken.

The reason for this is that Microsoft will be enforcing secure RPC when using the Netlogon Secure Channel, which secures communication with Domain Controllers.

Read more from Microsoft here:

https://support.microsoft.com/en-us/topic/how-to-manage-the-changes-in-netlogon-secure-channel-connections-associated-with-cve-2020-1472-f7e8cc17-0309-1d6a-304e-5ba73cd1a11e#bkmk_detectingnon_compliant

Hopefully, you all followed the recommendations from Microsoft to ensure your environment was ready on Feb 9th and the full implementation of Secure RPC with Netlogon Secure Channel. 

Here are Microsoft’s high-level recommendations:

  1. UPDATE your Domain Controllers with an update released August 11, 2020 or later.
  2. FIND which devices are making vulnerable connections by monitoring event logs. (Monitor events 5827, 5828, and 5829 to determine which accounts are using vulnerable secure channel connections.)
  3. ADDRESS non-compliant devices making vulnerable connections.
  4. ENABLE enforcement mode to address CVE-2020-1472 in your environment.

If you are not subscribing to Microsoft ESU to keep your unsupported operating systems patched with current security updates, you may have been left with critical systems being offline. If you also have third-party clients that don’t support secure RPC with Netlogon secure channel, these connections will now be denied by the DCs.

Mitigation Recommendations:

The enforcement kicked in February 9, 2021, with the following:

The process of resolving requires that customers install the August update on all DCs, monitoring for the associated events, and remediating non-compliant devices that are using vulnerable Netlogon secure channel connections.

Of important note, non-compliant devices can be allowed to use vulnerable Netlogon secure channel connections, as noted in the published Microsoft knowledge base. The associated security risk should be thoroughly considered before doing this. This risk is significant and easy to exploit.

If you have any questions or need help with this important update, please reach out to your GreenPages Account Executive to see how we can assist with remediation. 

Randy Becker.

Randy Becker

Randy is responsible for GreenPages’ overall cyber security strategy, including developing comprehensive policies and procedures to protect critical applications while ensuring business agility and velocity. With more than 30 years in the IT industry, Randy has strong expertise in cyber security and risk management; security operations and optimization; infrastructure modernization; and hybrid cloud architecture, design, and implementation. Randy is also a HITRUST Certified CSF Practitioner (CCSFP) which ensures clients have access to the highest level of expertise related to privacy, security, compliance, and risk management.