16 January 21, 10:30
Quote:Microsoft is taking matters into its own hands when it comes to companies that haven’t yet updated their systems to address the critical Zerologon flaw. The tech giant will soon by default block vulnerable connections on devices that could be used to exploit the flaw.
Starting Feb. 9, Microsoft said it will enable domain controller “enforcement mode” by default, a measure that would help mitigate the threat.
Microsoft Active Directory domain controllers are at the heart of the Zerologon vulnerability. Domain controllers respond to authentication requests and verify users on computer networks. A successful exploit of the flaw allows unauthenticated attackers with network access to domain controllers to completely compromise all Active Directory identity services.
Domain Controller enforcement mode “will block vulnerable connections from non-compliant devices,” said Aanchal Gupta, VP of engineering with Microsoft in a Thursday post. “DC enforcement mode requires that all Windows and non-Windows devices use secure RPC with Netlogon secure channel unless customers have explicitly allowed the account to be vulnerable by adding an exception for the non-compliant device.”
Secure RPC is an authentication method that authenticates both the host and the user who is making a request for a service.
This new implementation is an attempt to block cybercriminals from gaining network access to domain controllers, which they can utilize to exploit the Zerologon privilege-escalation glitch (CVE-2020-1472). The flaw, with a critical-severity CVSS score of 10 out of 10, was first addressed in Microsoft’s August 2020 security updates. But starting in September, at least four public Proof-of-Concept (PoC) exploits for the flaw were released on Github, along with technical details of the vulnerability.
The enforcement mode “is a welcome move because it is such a potentially damaging vulnerability that could be used to hijack full Domain Admin privileges – the ‘Crown Jewels’ of any network providing an attacker with God-mode for the Windows server network,” Mark Kedgley, CTO at New Net Technologies (NNT), told Threatpost. “By defaulting this setting it is clear that it is seen as too dangerous to leave open. [The] message to everyone is to patch often and regularly and ensure your secure configuration build standard is up to date with the latest [Center for Internet Security] or [Security Technical Implementation Guide] recommendations.”
Read more: https://threatpost.com/microsoft-impleme...de/163104/