Opslogix | Blog

Free NetLogon Secure Channel Compliance MP

Written by Johan Moller | Nov 5, 2020 12:14:32 PM

Overview

The Netlogon Remote Protocol (also called MS-NRPC) is an RPC interface that is used exclusively by domain-joined devices. MS-NRPC includes authentication procedures and a method of establishing a Netlogon secure channel.

An elevation of privilege vulnerability exists in MS-NRPC that makes it possible for an attacker to establish a vulnerable Netlogon secure channel connection to a domain controller. An attacker who successfully exploited the vulnerability could run a specially crafted application on a device on the network.

To exploit the vulnerability, an unauthenticated attacker would be required to use MS-NRPC to connect to a domain controller to obtain domain administrator access.

This Management Pack will help you adress these issues.

Microsoft is addressing the vulnerability in a phased two-part rollout. These updates address the vulnerability by modifying how Netlogon handles the usage of Netlogon secure channels.

  • In the first phase (starting August 11, 2020), domain controllers will by default continue to accept vulnerable Netlogon secure channel connections, while logging warning events in the System log.
  • In the second phase (starting February 9, 2021), domain controllers will start rejecting these connections and log an error event in the System log indicating which device that tried to connect.

See Microsoft CVE-2020-1472 for more details.

The OpsLogix NetLogon Secure Channel Compliance Management Pack is intended to help administrators identify vulnerable devices during phase 1, and alert on rejected devices during phase 2.

Management Packs Included

The following management packs are included in the package:

  • OpsLogix NetLogon Secure Channel Compliance
    OpsLogix.NetLogon.RPC.mp
    Management Pack containing discoveries, folders, views and rules
  • _OpsLogix NetLogon Secure Channel Compliance - Overrides
    OpsLogix.NetLogon.RPC.Overrides.xml
    Management Pack holding overrides targeted at OpsLogix NetLogon Secure
    Channel Compliance

Management Pack Objects

The following objects are included in the OpsLogix NetLogon Secure Channel Compliance Management Pack:

Folders and Views

Root Folder Parent Folder Views Subfolders
NetLogon Secure Channel Compliance Monitoring Active Alerts Noncompliant Device Events Rejected Device Events None

Discoveries

Name Target Description Enabled by default
Discover NetLogon Secure Channel Compliance Active Directory Domain Controller Windows Server Discovers Domain Controllers by running the following WMI query: 'SELECT * FROM win32_OperatingSystem WHERE (ProductType = "2") Yes

Rules

Name Target Description Enabled by default
Collect Noncompliant Device NetLogon Events NetLogon Secure Channel Compliance Active Directory Domain Controller This rule collects NetLogon vulnerable connection events (ID 5829) from the System eventlog on Domain Controllers Yes
Collect Rejected Device NetLogon Events NetLogon Secure Channel Compliance Active Directory Domain Controller This rule collects NetLogon rejected connection events (ID 5827 and 5828) from the System eventlog on Domain Controllers Yes
NetLogon Secure Channel Noncompliant Device Rule NetLogon Secure Channel Compliance Active Directory Domain Controller This rule raises warning alerts on NetLogon vulnerable connection events (ID 5829) in the System eventlog on Domain Controllers No
NetLogon Secure Channel Rejected Device Rule NetLogon Secure Channel Compliance Active Directory Domain Controller This rule raises critical alerts on NetLogon rejected connection events (ID 5827 and 5828) in the System eventlog on Domain Controllers No

Implementation

Prerequisites

Before importing the OpsLogix NetLogon Secure Channel Compliance Management Pack into Operations Manager, make sure that the following prerequisites have been
met:

  •  The system is running System Center Operations Manager 2016 or later.
  •  All Domain Controllers must have the Operations Manager Agent** installed
    and connected to the Management Group.

Installation

Import the management pack files from the Administration pane in the Operations
Console according to the chapter Management Packs Included.

Configuration

There is nothing to configure for this Management Pack.

Overrides

The discovery and the collection rules are enabled by default. The alert rules
are disabled by default. To enable an alert rule, override the parameter
Enabled to True and save it in the Overrides Management Pack.