Netlogon. What It Is and Why It’s Important?
Netlogon is a Windows Server procedure allowing users and other domain services to get authenticated. Since it is a service rather than an application, Netlogon permanently runs in the background, and it can be terminated intentionally or as a result of a runtime fault.
What Is the NRPC protocol?
The Microsoft Windows Netlogon Remote Protocol (MS-NRPC) is an Active Directory fundamental authentication component that supports user and machine account authentication. When authenticating computer accounts, MS-NRPC utilizes an initialization vector IV of zero-value in AES-CFB8 mode.
The Netlogon Remote Protocol is a remote procedure call interface that is used on domain-based networks for user and machine authentication purposes.
What Does the Netlogon Service Do?
When responding to network login requests, the Netlogon service performs the following activities:
- chooses the target domain for logon authentication.
- identifies a domain controller in the target domain to perform authentication.
- establishes a secure channel of communication between Netlogon services on the originating and target systems.
- sends an authentication request to the appropriate domain controller.
- returns authentication results to Netlogon on the originating system.
- Netlogon is an important component of passthrough authentication.
Passthrough authentication requires the establishment of a secure communication channel between Netlogon services on two systems: the originating, or local, system and a domain controller in the desired domain. Before passing login information between them, the Netlogon services on each system undertake a handshake known as Challenge and Challenge Response to confirm the source system’s legitimacy.
How to Start the Netlogon Service?
- Click Start, type “services.msc” in the Start Search box, and then click Services Desktop app.
- Locate and double-click Netlogon, and then click Automatic in the Startup type box.
- Click OK, and then start the Netlogon service.
The Zerologon Vulnerability. What Happened?
A vulnerability named CVE-2020-1472 was dubbed as Zerologon. The flaw was caused by a vulnerability in the logon process: the initialization vector (IV) is always set to all zeros when an IV should always be a random value.
The severity of this hazardous vulnerability is rated as 10 out of 10 (CVSS v3.1) by the Common Vulnerability Scoring System (CVSS), as the weakness made use of a cryptography bug in Microsoft’s Active Directory Netlogon Remote Protocol.
The main issue with this vulnerability is that MS-NRPC is also used to send account updates. The initial algorithm used to encrypt the logon process in Windows NT was 2DES, which has now been proven to be flawed. MS-NRPC now employs the Advanced Encryption Standard (AES), which is widely regarded as the gold standard in encryption.
Aside from selecting an established, powerful algorithm, extra settings must be chosen to achieve suitable strength. MS-NRPC employs a cryptic option called Advanced Encryption Standard – Cipher FeedBack 8bit (AES-CFB8). AES-CFB8 is mysterious since it is not widely recognized or tested.
Unfortunately, the usage of AES-CFB8 within MS-NRPC has a problem with the IV, where this should be a random number but is set at 16 bytes of zeros.
A hacker could’ve exploited this vulnerability to gain control of a domain controller, even the root DC by changing or deleting the password for a controller service account. The malicious actor can then either cause a denial of service or seize control of the entire network. Microsoft issued a fix for the Zerologon vulnerability (CVE-2020-1472) in August 2020.
Our Heimdal™ Patch & Asset Management will handle all software updates and patches within 4 hours since their launch, silently, in the background, with no interruptions.
You can set it and forget it, as we like to say, or set a few preferences (like the right to exclude updates from one app or category, or to be asked before applying a patch on all endpoints within your organization, or the possibility to deploy and patch your own custom software through the platform). Make sure you request a demo and give it a try!