by Johan Moller, on Nov 5, 2020 1:14:32 PM
Overview
The Netlogon Remote Protocol (also called MS-NRPC) is an RPC interface that is used exclusively by domain-joined devices. MS-NRPC includes authentication procedures and a method of establishing a Netlogon secure channel.
An elevation of privilege vulnerability exists in MS-NRPC that makes it possible for an attacker to establish a vulnerable Netlogon secure channel connection to a domain controller. An attacker who successfully exploited the vulnerability could run a specially crafted application on a device on the network.
To exploit the vulnerability, an unauthenticated attacker would be required to use MS-NRPC to connect to a domain controller to obtain domain administrator access.
This Management Pack will help you adress these issues.
Microsoft is addressing the vulnerability in a phased two-part rollout. These updates address the vulnerability by modifying how Netlogon handles the usage of Netlogon secure channels.
- In the first phase (starting August 11, 2020), domain controllers will by default continue to accept vulnerable Netlogon secure channel connections, while logging warning events in the System log.
- In the second phase (starting February 9, 2021), domain controllers will start rejecting these connections and log an error event in the System log indicating which device that tried to connect.
See Microsoft CVE-2020-1472 for more details.
The OpsLogix NetLogon Secure Channel Compliance Management Pack is intended to help administrators identify vulnerable devices during phase 1, and alert on rejected devices during phase 2.
Management Packs Included
The following management packs are included in the package:
- OpsLogix NetLogon Secure Channel Compliance
OpsLogix.NetLogon.RPC.mp
Management Pack containing discoveries, folders, views and rules - _OpsLogix NetLogon Secure Channel Compliance - Overrides
OpsLogix.NetLogon.RPC.Overrides.xml
Management Pack holding overrides targeted at OpsLogix NetLogon Secure
Channel Compliance
Management Pack Objects
The following objects are included in the OpsLogix NetLogon Secure Channel Compliance Management Pack:
Folders and Views
| Root Folder | Parent Folder | Views | Subfolders |
|---|---|---|---|
| NetLogon Secure Channel Compliance | Monitoring | Active Alerts Noncompliant Device Events Rejected Device Events | None |
Discoveries
| Name | Target | Description | Enabled by default |
|---|---|---|---|
| Discover NetLogon Secure Channel Compliance Active Directory Domain Controller | Windows Server | Discovers Domain Controllers by running the following WMI query: 'SELECT * FROM win32_OperatingSystem WHERE (ProductType = "2") | Yes |
Rules
| Name | Target | Description | Enabled by default |
|---|---|---|---|
| Collect Noncompliant Device NetLogon Events | NetLogon Secure Channel Compliance Active Directory Domain Controller | This rule collects NetLogon vulnerable connection events (ID 5829) from the System eventlog on Domain Controllers | Yes |
| Collect Rejected Device NetLogon Events | NetLogon Secure Channel Compliance Active Directory Domain Controller | This rule collects NetLogon rejected connection events (ID 5827 and 5828) from the System eventlog on Domain Controllers | Yes |
| NetLogon Secure Channel Noncompliant Device Rule | NetLogon Secure Channel Compliance Active Directory Domain Controller | This rule raises warning alerts on NetLogon vulnerable connection events (ID 5829) in the System eventlog on Domain Controllers | No |
| NetLogon Secure Channel Rejected Device Rule | NetLogon Secure Channel Compliance Active Directory Domain Controller | This rule raises critical alerts on NetLogon rejected connection events (ID 5827 and 5828) in the System eventlog on Domain Controllers | No |
Implementation
Prerequisites
Before importing the OpsLogix NetLogon Secure Channel Compliance Management Pack into Operations Manager, make sure that the following prerequisites have been
met:
- The system is running System Center Operations Manager 2016 or later.
- All Domain Controllers must have the Operations Manager Agent** installed
and connected to the Management Group.
Installation
Import the management pack files from the Administration pane in the Operations
Console according to the chapter Management Packs Included.
Configuration
There is nothing to configure for this Management Pack.
Overrides
The discovery and the collection rules are enabled by default. The alert rules
are disabled by default. To enable an alert rule, override the parameter
Enabled to True and save it in the Overrides Management Pack.