Menu
Ask us how we can help secure your environment with the top 10-12 security enhancements every firm should have. #ITCornerView
As of February 9, 2021, any Microsoft customer that has a supported version of Windows Server that is used as a Domain Controller in their environment will no longer allow legacy, unsupported Windows systems (i.e., Windows 7, Windows Server 2008) to talk to the supported Windows Server Domain Controller unless specific action takes place. As an example, if a Microsoft customer has Windows 7 Pro desktops without Extended Support, and they have a Windows Server 2012 or higher Domain Controller, on February 9, 2021, those Windows 7 Pro devices will no longer be able to communicate with the Windows 2012 or higher Domain Controllers.
The Netlogon Remote Protocol (also called MS-NRPC) is an RPC interface that is used exclusively by domain-joined devices. MS-NRPC includes an authentication method and a method of establishing a Netlogon secure channel. These updates enforce the specified Netlogon client behavior to use secure RPC with Netlogon secure channel between member computers and Active Directory (AD) domain controllers (DC).
This security update addresses the vulnerability by enforcing secure RPC when using the Netlogon secure channel in a phased release explained in the Timing of updates to address Netlogon vulnerability CVE-2020-1472 section. To provide AD forest protection, all DCs, must be updated since they will enforce secure RPC with Netlogon secure channel. This includes read-only domain controllers (RODC).
The February 9, 2021 release marks the transition into the enforcement phase. The DCs will now be in enforcement mode regardless of the enforcement mode registry key. This requires all Windows and non-Windows devices to use secure RPC with Netlogon secure channel or explicitly allow the account by adding an exception for the non-compliant device. This release:
Event ID 5829 is generated when a vulnerable connection is allowed during the initial deployment phase. These connections will be denied when DCs are in enforcement mode. In these events, focus on the machine name, domain and OS versions identified to determine the non-compliant devices and how they need to be addressed.
The ways to address non-compliant devices:
Warning Allowing device accounts to use vulnerable connections by the group policy will put these AD accounts at risk. The end goal should be to address and remove all accounts from this group policy.
For full details of this situation and solutions, please read through the Microsoft knowledgebase article linked below or Contact Cornerstone.IT immediately, we can help:
#ITBudgetPlanning #LegalIT #ITCornerView
