IMPORTANT ADVISORY: New Windows exploit lets an attacker instantly become admin

  • SSS GRC Team
  • Sep 18, 2020

In August Microsoft released a security update that resolved a critical vulnerability in all of its supported versions of Windows Server.

As of 18 September, there are many publicly available exploits circulating for this vulnerability. These exploits allow an attacker who can communicate with a domain controller, using the Netlogon-Remote Protocol (MS-NRPC), to gain Domain Administrator access. This means any exploit that gives an attacker a foothold on your internal network (phishing, browser exploitation, etc.) can be immediately followed up with an attack that provides full control of your Windows domain.

Unlike most Microsoft’s updates, this is not one we can simply install and forget.

We are urging all clients to ensure they fully understand its implications and quickly implement it in the manner that makes the most sense for their specific circumstances. Please see Microsoft’s detailed information here: https://support.microsoft.com/en-nz/help/4557222/how-to-manage-the-changes-in-netlogon-secure-channel-connections-assoc.

Briefly, Microsoft is releasing the fix for this vulnerability in two phases (the August patch and another in February). By default, last month’s patch fixes the vulnerability in the domain controllers, but will allow non-compliant devices to continue authenticating to the domain. It also includes an option to prevent authentication for these devices.

In February Microsoft will release a new patch that will force all domain controllers into enforcement mode, and special efforts will be required if you need to support any devices that cannot use the updated implementation of MS-NRPC.

Bottom line: Stay on supported operating systems and keep them patched.