Good system security is based on good system management. But face it. Server patching can be every IT department’s nightmare. From the operating system to applications, server patching is never as simple as installing updates and performing a reboot. It’s time consuming, labor intensive, seemingly always risky, and it’s a detailed procedure made more complex by limited maintenance windows requiring testing and validation.
But what happens when Microsoft tells you to patch, but isn’t very clear about the protection it will offer, or the downstream damages it may cause?
Zerologon, a new Windows vulnerability that lets anyone with a network toehold easily take over your domain controllers is a case in point. According to a white paper published by information security firm Secura, “a flaw in a cryptographic authentication scheme used by the Netlogon Remote Protocol, allows attackers to impersonate any computer, including the domain controller itself, and execute remote procedure calls (like updating passwords) on their behalf.”
But here’s the thing according to VertitechIT Chief Technology Officer Gerry Gosselin. Patching is only the first step! The hard part is yet to come, and Microsoft is not being very transparent as far as next steps are concerned.
“The way to fix this is to patch all your Windows devices (especially domain controllers) and watch your event logs to see what on your network is speaking in the old insecure method. Once you’ve taken care of (patch, decommission, allow-list) everything on your network that’s talking via the old insecure method, you then have to manually turn on enforcement mode which further secures Netlogon. The patch fixes the “Zerologon vulnerability” and thwarts the working exploits; that much we’ve tested and confirmed. However, we suspect that despite the patch, organizations that run Windows Active Directory are still vulnerable to something else until they turn on enforcement mode. Perhaps that something else is some future netlogon vulnerability? A cousin to Zerologon? Unfortunately, securing against this future concern means turning on enforcement mode which may break some systems. Microsoft hasn’t given us any guidance as to what kind of systems they may be. We just have to watch our logs and see.”
Gosselin says Microsoft is forcing you to go into enforcement mode in February 2021 but again, “enforcement mode may break other devices. We’re going to have a huge struggle between now and January to test and update a bunch of infrastructures before Microsoft breaks things.”
Terry Grogan, who serves as interim Chief Information Security Officer at Temple University Health in Philadelphia says hospitals who may not be patching (or may be late on patching) could be the most vulnerable. “Even if they are diligent, many hospitals still have older devices or domain controllers that simply can’t be patched anymore, never mind these unknown devices that will be affected come February.”
Gosselin offers the following advice.
- Patch everything you can
- Utilize a log aggregator (like Splunk, Graylog, ELK) to watch for the Windows event log that indicates an older device is using the insecure protocol
- When noted, remediate any issues before going into enforcement mode
For more information on this vulnerability or the outsourcing of server operating system patching of Linux and Microsoft based servers, contact firstname.lastname@example.org.