Are you vulnerable to Zerologon?

Short answer: You are vulnerable to Zerologon (CVE-2020-1472) if you are using an outdated or unpatched Windows Server or machine.

In August 2020, many businesses and users of Microsoft services received emails warning of the potential threat and urging users to update to the latest patch. 

Should you be concerned?

YES.

Another patch will be coming in February 2021 that will change the way systems communicate with Active Directory.

Regardless of if you’re running up-to-date or legacy systems, you will need to ensure all business machines (i.e., Servers, Desktops, Laptops, Printers) are configured to continue communicating with Active Directory after the February 2021 patch release.

Here we’ll explain what you need to know about Zerologon and how to prepare for any changes.

Get our Ransomware Prevention & Response Guide

Is your business prepared for a cyber attack? Ransomware can happen to any company at any time.

Here’s what you need to know and how to get started.

What is Zerologon?

Zerologon is a vulnerability in Microsoft’s Netlogon authentication process. This vulnerability allows attackers access to Microsoft Active Directory domain controllers.

Attackers exploiting this loophole can gain access to and impersonate any computer on your network.

How to tell if you are vulnerable to Zerologon

You can tell if you are vulnerable depending on how your IT environment is currently set up.

First question you need to ask yourself…

Do I have outdated operating systems in my environment?

For Windows Servers, anything below Windows Server 2008 R2 no longer receives patching.

For workstations, anything below Windows 8.1 no longer receives patching.

(See list of Microsoft Windows versions and support statuses)

Second question…

Do you have a robust patch management solution?

It’s not uncommon for people or organizations to hold off on patching to avoid perceived interruptions.

Patching is not an option in this day in age.

Never opt-out of patching.

If you are unsure about either of these questions, check with your IT support team or have a professional systems analysis conducted.

How do I prevent Zerologon?

Microsoft has provided the following guidance:

• UPDATE your Domain Controllers with an update released August 11, 2020, or later.
• FIND which devices are making vulnerable connections by monitoring event logs.
• ADDRESS non-compliant devices making vulnerable connections.
• ENABLE enforcement mode to address CVE-2020-1472 in your environment.

You should also implement the best practices below.

Always have a secure offline backup

If attackers gain access to your systems through Zerologon, your data will be at immediate risk. 

Creating an offline backup separate from your IT environment will ensure you have a fallback if the worst scenario occurs.

Backups are the only legal way to restore data if cybercriminals get ahold of your data.

Keep legacy machines separated

Your security is only as good as the weakest link.

If you MUST have a legacy machine for whatever reason, it should be separated from your IT environment as much as possible.

Check out our Ransomware Prevention Guide for more cyber security best practices.

Preparing for Microsoft’s February 2021 patch 

Microsoft plans to release another patch in February 2021. This patch will effectively change how systems communicate with Active Directory, adding a new layer of security. 

Machines that still communicate using Netlogon will need to be identified and added as exceptions to your Active Directory domain controller.

Patched domain controllers will identify problematic devices in the event log. 

Doing this ahead of time will ensure a seamless and secure transition into 2021.

Need help with your IT?