CVE-2020-1472

FAQ

Do I need to take further steps to be protected from this vulnerability?

Yes. Installing the August 11, 2020 updates on the domain controllers protects the Windows-based machine accounts, the trust accounts, and the domain controller accounts.

Active Directory machine accounts for domain joined third-party devices are not protected until enforcement mode is deployed. Machine accounts are also not protected if they are added to the "Domain controller: Allow vulnerable Netlogon secure channel connections" group policy. See How to manage the changes in Netlogon secure channel connections associated with CVE-2020-1472 for more details.

If I install the updates and take no further action, what will be the impact?

During the initial deployment phase starting with the updates released August 11, 2020 or later, the updates can be installed without added further action, and Windows devices and Domain Controllers (DCs) will be protected from this vulnerability. Third-party devices will be allowed to make vulnerable connections and might allow attack until enforcement mode is enabled. Organizations will need to monitor for and address potential issues before the Q1 2021 DC enforcement phase or risk devices being denied access. Note Any device in the allow list will be allowed to use vulnerable connections and could expose your environment to the attack. For more information, see How to manage the changes in Netlogon secure channel connections associated with CVE-2020-1472.

How does Microsoft plan to address this vulnerability?

Microsoft is addressing this vulnerability in a phased rollout. The initial deployment phase starts with the Windows updates released on August 11, 2020. The updates will enable the Domain Controllers (DCs) to protect Windows devices by default, log events for non-compliant device discovery, and have the option to enable protection for all domain-joined devices with explicit exceptions.

The second phase, planned for a Q1 2021 release, marks the transition into the enforcement phase. The DCs will be placed in enforcement mode, which requires all Windows and non-Windows devices to use secure Remote Procedure Call (RPC) with Netlogon secure channel or to explicitly allow the account by adding an exception for any non-compliant device.

What is a non-compliant device?

A non-compliant device is one that uses a vulnerable Netlogon secure channel connection.

Why is there a staged or phased rollout?

There are many non-Windows device implementations of the Netlogon Remote Protocol (also called MS-NRPC). To ensure that vendors of non-compliant implementations can provide customers with updates, a second release that is planned for Q1 2021 will enforce protection for all domain-joined devices.

Why do I need to follow the guidelines in How to manage the changes in Netlogon secure channel connections associated with CVE-2020-1472?

If the guidelines from the KB article are not followed, your organization risks devices in your environment being denied access when the enforcement phase starts in Q1 2021. If there are currently no non-compliant devices in your environment, you can move to enforcement mode for further protection in advance of required enforcement.

Important update: On September 28, 2020, How to manage the changes in Netlogon secure channel connections associated with CVE-2020-1472 was updated to provide clarity on new questions and to reinforce actions customers need to take to ensure they are protected.

How can I be notified when the second release is available in Q1 2021?

When the second phase of Windows updates become available, customers will be notified via a revision to this security vulnerability. If you wish to be notified when these updates are released, we recommend that you register for the security notifications mailer to be alerted of content changes to this advisory. See Microsoft Technical Security Notifications.