question

AntonKrasnogortsev-6201 avatar image
0 Votes"
AntonKrasnogortsev-6201 asked ·

CVE-2020-1472 [zerologon] no events with warnings 5827,5828,5829,5830 and 5831

Good day! As part of "Managing Changes to Netlogon Secure Channel Connections Related to CVE-2020-1472", I tried to locate events 5827,5828,5829,5830 and 5831 in the System logs on our domain controllers.

Despite the presence of vulnerable test machines (win7), none of the ones mentioned in the article (https://support.microsoft.com/en-us/help/4557222/how-to-manage-the-changes-in-netlogon- secure-channel-connections-assoc) events, no domain controller logs.

The "Domain Controller: Allow Vulnerable Netlogon Secure Channel Connections" policy is currently enabled and specifies permissions (for the old DC with 2008R2) and prohibitions (for the test machine with Win7). A Win7 machine in the current situation does not experience any problems in operation, despite the ban.

At the moment, we cannot, in our environment, perform the "Step 2a. SEARCH" of the specified instruction, since there are no events in the logs

For what reason may the specified events not be displayed in the log?

The controllers receive updates constantly. The latter were from 01/13/2021 (for windows server 2019). Our domain consists of servers: Windows Server 2019 Standard 1809 (17763.1697), Windows Server 2012 R2 (9600), and one 2008 R2 for decommissioning.

Note: since we still have one DC since 2008 R2, the domain level is 2008 R2.

============ in Russian ============

Добрый день! В рамках "Управление изменениями в подключениях безопасного канала Netlogon, связанными с CVE-2020-1472", я попытался обнаружить события 5827,5828,5829,5830 и 5831 в журналах "система" на контроллерах нашего домена.

Не смотря на наличие уязвимых тестовых машин (win7), ни одного из указанных в статье (https://support.microsoft.com/ru-ru/help/4557222/how-to-manage-the-changes-in-netlogon-secure-channel-connections-assoc) событий, в журналах контроллеров домена нет.

Политика "Контроллер домена: разрешить уязвимые подключения безопасного канала Netlogon" в данный момент включена и в ней указанны разрешения (на старый КД c 2008R2) и запреты (на тестовую машину с Win7). Машина с Win7 в текущей ситуации не испытывает проблем в работе, не смотря на запрет.

В данный момент, мы не можем, в своей среде, выполнить "Шаг 2a. ПОИСК" указанной инструкции, так как событий нет в журналах

По какой причине могут не отображаться указанные события в журнале?

Обновление контроллеры получают постоянно. Последние были от 13.01.2021 (для windows server 2019). Наш домен состоит из серверов: Windows Server 2019 Standard 1809 (17763.1697), Windows Server 2012 R2 (9600), и одного 2008 R2 - под вывод из эксплуатации.

Замечание: ввиду того что у нас все еще используется один КД с 2008 R2, уровень домена именно 2008 R2.

windows-server-2019
· 1
10 |1000 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Hi,

I think I have the same problem.
We have some Windows7-Clients & Server 2008 running. But on the Domain Controllers (2012R2) I don´t see any 5827, 5827,5828,... entries in the system-eventlog.
All working fine. I Updated one of the Domain Controllers and there are no issues.
That´s strange.

0 Votes 0 ·
VickyWang-MFST avatar image
0 Votes"
VickyWang-MFST answered ·

Hi,

Thank you for posting in our forum

There is a detailed method to solve the error in the link, you can try it first, you can continue to update if there is no solution

reference:
https://dirteam.com/sander/2020/08/11/knowledgebase-you-experience-warnings-with-eventid-5829-on-domain-controllers/

https://borncity.com/win/2020/09/12/windows-10-v1607-update-kb4571694-creates-id-5827-events-bricks-mmc/

Please Note: Since the web site is not hosted by Microsoft, the link may change without notice. Microsoft does not guarantee the accuracy of this information.

Hope this information can help you

Best wishes

Vicky

·
10 |1000 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

VickyWang-MFST avatar image
0 Votes"
VickyWang-MFST answered ·

Hi,

Just checking in to see if the information provided was helpful.
Please let us know if you would like further assistance.

Best Regards,
Vicky

·
10 |1000 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

VickyWang-MFST avatar image
0 Votes"
VickyWang-MFST answered ·

Hi,


Just checking in to see if the information provided was helpful.

Please let us know if you would like further assistance.


Best Regards,
Vicky

·
10 |1000 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.