Azure Sentinel Solution to Find Vulnerable Netlogon Clients


Microsoft is addressing a privilege vulnerability in a two-part rollout by modifying how Netlogon handles the usage of Netlogon secure channels.  

Phase one, deployment, began on Aug 11. In this phase, secure Remote ProtoCol (RPC) is enforced for machine, trust and domain controller accounts. This phase also includes a new group policy object (GPO) and a registry key to manage configuration, and five new Event IDs. 

In phase two, which is set to begin Feb 9, 2021, non-compliant machine connections will be denied by default and an Event ID 5827 will be logged. Microsoft’s solution for finding vulnerable Netlogon connections depends on using Azure Sentinel, which is Microsoft’s cloud-based security information event management (SIEM) solution. 

Read more here on recommendations and updates required before Feb 9, 2021, in order to avoid an issue where devices will get denied access. 

Want to learn more about security in a hybrid Microsoft environment? Check out our on-demand webinar, 3 Keys to Secure Hybrid Microsoft Management. 

Check out these relevant resources.

New Survey Finds...

Active Directory forest recovery not taken serious enough. See what else your peers had to say.