August 2020 Patch (CVE-2020-1472) is fixing Netlogon Elevation of Privilege Vulnerability, we have to patch all the Domain Controllers to secure our environment from this Vulnerability and its two-part rollout stars on August 2020 and Feb 2021, we have many unanswered questions like, is the August 2020 patch will affect the non-secure clients? is there any known affected client list that uses the Non-secure RPC? how do I know how many affected non-compliant devices are connected in our Domain? and how to fix/remediate the non-compliant devices and is the August 11, 2020 update will fix the Vulnerability?
Also Read: Compare Installed Windows Security Patches with other Servers
Is the August 11, 2020 patch only to identify the device which uses the Non-secure RPC usage or it will fix or Enforces secure RPC connection? and if so what is the impact if we have any device using Non-secure RPC
Microsoft included the fix for the many vulnerabilities, so we have to patch ASAP.
With respect to Netlogon Vulnerability, Yes it is fixing or Enforcing secure RPC usage for all the Windows-based devices (not for the Non-Windows devices)
Is the August 2020 patch will affect the non-secure clients?
NO: There is no impact as this is Enforcing secure RPC usage only for the Windows based devices which is supported natively without any outage unless you have very old legacy Windows Operating systems (OS)
Windows 2000 and above are not impacted
Any known list of affected devices which use the Non-secure RPC?
Only the Non-Windows devices are still using the Non-secure RPC and you have to install the August 11, 2020 update and extract the event ID 5829 from the Domain Controllers System event logs to get the affected non-compliant device list
How we can fix/remediate the non-compliant devices?
Once you have the list of affected non-compliant devices then raise it with the vendor to get the fix to supports secure RPC with Netlogon secure channel
Also See: How secure channel determine the Domain controller in cross-forest
What happen to the non-compliant devices after February 9, 2021 Enforcement Phase?
Try to get remediated with the help of vendor support, if still want to continue to use these non-compliant devices connected to you Domain Controller then you have to create security filtered GPO to Allow vulnerable Netlogon secure channel connections
Note: it’s not recemented to use non-compliant devices with can be a security risk to your environment
Also Read: How to troubleshoot workstation Trust relationship issues on Domain
Event ID: 5827, 5828, 5830, 5831 and 5829 Not Visible on Domain Controller event logs after August 2020 Update
Currently, we only need to look for Event ID 5829, Check the System event logs on the Domain controller, if no event then there is no non-compliant devices are connecting to the particular Domain Controller
Event ID 5827 and 5828: only available if any Non-secure RPC connections are denied.
Event ID 5830 and 5831: if any Non-secure RPC connections are allowed through GPO (Allow vulnerable Netlogon secure channel connections)
Event ID 5829: whenever non-compliant devices are connecting using Vulnerable Netlogon secure channel connection, this can be used to collect the non-compliant devices and needs to be remediated before February 9, 2021 Enforcement Phase
Also Read: Difference between Windows cumulative update and native Microsoft Windows update
Hope this will clarify all the queried related to Netlogon Elevation of Privilege Vulnerability and August 11, 2020 patches
More about Windows Server 2016 and Windows Server 2012
Related posts:
GPO Update failed with LDAP Bind function call failed error on Windows Server 2016/2019/2012 and Windows 10
Monitor NTLM authentication delays and issues on Windows 2008 and 2012
Windows Server 2012 Active Directory Trust Relationship Problem
Windows Server 2019 Features
How to Monitor Network Traffic (Packet Capture/Network Trace) in Windows without installing any Tools
