The Netlogon Remote Protocol (also called MS-NRPC) is an RPC interface that is used exclusively by domain-joined devices. MS-NRPC includes authentication procedures and a method of establishing a Netlogon secure channel.
An elevation of privilege vulnerability exists in MS-NRPC that makes it possible for an attacker to establish a vulnerable Netlogon secure channel connection to a domain controller. An attacker who successfully exploited the vulnerability could run a specially crafted application on a device on the network.
To exploit the vulnerability, an unauthenticated attacker would be required to use MS-NRPC to connect to a domain controller to obtain domain administrator access.
This Management Pack will help you adress these issues.
Microsoft is addressing the vulnerability in a phased two-part rollout. These updates address the vulnerability by modifying how Netlogon handles the usage of Netlogon secure channels.
See Microsoft CVE-2020-1472 for more details.
The OpsLogix NetLogon Secure Channel Compliance Management Pack is intended to help administrators identify vulnerable devices during phase 1, and alert on rejected devices during phase 2.
The following management packs are included in the package:
The following objects are included in the OpsLogix NetLogon Secure Channel Compliance Management Pack:
Root Folder | Parent Folder | Views | Subfolders |
---|---|---|---|
NetLogon Secure Channel Compliance | Monitoring | Active Alerts Noncompliant Device Events Rejected Device Events | None |
Name | Target | Description | Enabled by default |
---|---|---|---|
Discover NetLogon Secure Channel Compliance Active Directory Domain Controller | Windows Server | Discovers Domain Controllers by running the following WMI query: 'SELECT * FROM win32_OperatingSystem WHERE (ProductType = "2") | Yes |
Name | Target | Description | Enabled by default |
---|---|---|---|
Collect Noncompliant Device NetLogon Events | NetLogon Secure Channel Compliance Active Directory Domain Controller | This rule collects NetLogon vulnerable connection events (ID 5829) from the System eventlog on Domain Controllers | Yes |
Collect Rejected Device NetLogon Events | NetLogon Secure Channel Compliance Active Directory Domain Controller | This rule collects NetLogon rejected connection events (ID 5827 and 5828) from the System eventlog on Domain Controllers | Yes |
NetLogon Secure Channel Noncompliant Device Rule | NetLogon Secure Channel Compliance Active Directory Domain Controller | This rule raises warning alerts on NetLogon vulnerable connection events (ID 5829) in the System eventlog on Domain Controllers | No |
NetLogon Secure Channel Rejected Device Rule | NetLogon Secure Channel Compliance Active Directory Domain Controller | This rule raises critical alerts on NetLogon rejected connection events (ID 5827 and 5828) in the System eventlog on Domain Controllers | No |
Before importing the OpsLogix NetLogon Secure Channel Compliance Management Pack into Operations Manager, make sure that the following prerequisites have been
met:
Import the management pack files from the Administration pane in the Operations
Console according to the chapter Management Packs Included.
There is nothing to configure for this Management Pack.
The discovery and the collection rules are enabled by default. The alert rules
are disabled by default. To enable an alert rule, override the parameter
Enabled to True and save it in the Overrides Management Pack.