Microsoft has warned IT security admins that starting with its Feb. 9, 2021, security update, it will enable Domain Controller (DC) enforcement mode by default as a means of addressing a Critical remote code execution vulnerability affecting the Netlogon protocol.
This move will block vulnerable connections from noncompliant devices, according to a Microsoft Security and Response Center blog post. DC enforcement mode requires both Windows and non-Windows devices to use secure Remote Procedure Call (RPC) with a Netlogon secure channel, unless a business has allowed an account to be exposed by adding an exception for a noncompliant device.
CVE-2020-1472 is a privilege escalation flaw in the Windows Netlogon Remote Protocol (MS-NRPC) with a CVSS score of 10. It could enable an unauthenticated attacker to use MS-NRPC to connect to a domain controller and gain full admin access.
Since it was fixed in August, the "Zerologon" bug has been seen in active campaigns from Iranian threat group Mercury. The DHS's Cybersecurity and Infrastructure Security Agency (CISA) later issued an emergency directive for the flaw, requiring federal agencies to patch immediately.
Microsoft advises businesses to update Domain Controllers with the security update released Aug. 11, 2020, monitor event logs to find devices making vulnerable connections, address any noncompliant devices making vulnerable connections, and enable DC enforcement mode.
Read the full MSRC blog post for more details.