Netlogon Secure Channel CVE-2020-1472 Clarification Needed

SecurechannelIT 21 Reputation points
2020-10-07T09:04:06.567+00:00

We have a isolated network with Server 2016 domain controller which does not gets latest updates whatsoever. OS version is
10.0.14393 N/A Build 14393. If we were to apply the security update as per Initial deployment state as mentioned in the article (https://support.microsoft.com/en-us/help/4557222/how-to-manage-the-changes-in-netlogon-secure-channel-connections-assoc) should we just create registry DWORD below ??

Registry subkey: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Netlogon\Parameters
Value: FullSecureChannelProtection
Data type: REG_DWORD
Value:0

As per this article (https://support.microsoft.com/en-us/help/4565912/servicing-stack-update-for-windows-10-version-1607), it advises installing SUU - Service stack update (https://www.catalog.update.microsoft.com/Search.aspx?q=KB4565912) before applying any cumulative patch. Is this the approach before we apply cumulative update (https://www.catalog.update.microsoft.com/ScopedViewInline.aspx?updateid=cf7a53b4-c18c-4c38-b4ef-711043f4d178)for domain controllers that don't get regular security updates?

Please advise!

Active Directory
Active Directory
A set of directory-based technologies included in Windows Server.
5,932 questions
Windows Server Security
Windows Server Security
Windows Server: A family of Microsoft server operating systems that support enterprise-level management, data storage, applications, and communications.Security: The precautions taken to guard against crime, attack, sabotage, espionage, or another threat.
1,732 questions
0 comments
Accepted answer
  1. Dave Patrick 426.1K Reputation points MVP
    2020-10-07T10:06:01.223+00:00

    I'd work through this one including the FAQ near end of document.
    https://support.microsoft.com/en-us/help/4557222/how-to-manage-the-changes-in-netlogon-secure-channel-connections-assoc

    Yes, the SSU
    https://www.catalog.update.microsoft.com/Search.aspx?q=KB4565912
    is a prerequisite to installing August 11, 2020—KB4571694 (OS Build 14393.3866)
    https://www.catalog.update.microsoft.com/Search.aspx?q=KB4571694

    --please don't forget to Accept as answer if the reply is helpful--

    1 person found this answer helpful.

1 additional answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. Daisy Zhou 18,721 Reputation points Microsoft Vendor
    2020-10-09T09:49:12.157+00:00

    Hello @SecurechannelIT ,

    Thank you for posting here.

    Here are the answers for your references.

    **Q1:**Should we just create registry DWORD below ?
    **A1:**For the registry, the function with value 1 of this registry is the same as February 9, 2021 updates, that is make DC to enforcement mode.

    Registry subkey: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Netlogon\Parameters
    Value: FullSecureChannelProtection
    Data type: REG_DWORD
    Value:1

    If we want to moving to enforcement mode in advance of the February 2021 enforcement phase, then after all non-compliant devices have been addressed, either by enabling secure RPC or by allowing vulnerable connections with the "Domain controller: Allow vulnerable Netlogon secure channel connections" group policy, we can set the FullSecureChannelProtection registry key to 1.

    **Q2:**it advises installing SUU - Service stack update before applying any cumulative patch. Is this the approach before we apply cumulative update for domain controllers that don't get regular security updates?
    **A2:**Yes, you are right. It is recommended we install SSU before installing cumulative update .

    Hope the information above is helpful. If anything is unclear, please feel free to let us know.

    Best Regards,
    Daisy Zhou

    1 person found this answer helpful.