“Domain Controller Enforcement mode” will be activated as of 9 February 2021

Advertisements

With the security update of 11 August 2020, Microsoft has addressed a security vulnerability (CVE-2020-1472). This has not yet been closed automatically, as compatibility problems may occur. How to close the vulnerability beforehand is explained in KB article 455722.

71eaf76c5a114f96bcdf857c1b93ee5b "Domain Controller Enforcement mode" will be activated as of 9 February 2021 1

Since the gap affects the RPC or Secure RPC connection, it is advisable to check beforehand whether problems will occur and by which system. Since the August update, corresponding entries are logged in the event log if a blocking would take place in enforcement mode. The update comes with an audit mode like the one used by AppLocker or Windows Defender Exploitation Guard (formerly EMET).

The matching event ids are 5827-5831 in the system event log.

Further information. Including the group policy settings can also be found in the KB article.

Microsoft also provides a sample script to analyse the exported event log files for errors.

Alternatively, here is a script of mine to check the corresponding event IDs on all Active Directory domain controllers in the domain, assuming of course the appropriate permission and the AD PowerShell module.

Note about program and Power Shell Code

The code contained here serves as an example. I do not assume any warranty, guarantee or support for the code or its components. Use the code at your own risk.

I always recommend to have a close look at the scripts before using them.

<#
.SYNOPSIS
Checks all Domain Controller for Event ID 5827-5829 in the System Eventlog
	
.DESCRIPTION
Checks all Domain Controller for Event ID 5827-5829 in the System Eventlog. This are the Event for connections witch will be blocked starting 9 Feb. 2021 due CVE-2020-1472.

.EXAMPLE 
C:\PS> get-CVE20201472Events.ps1

.NOTES
Author     : Fabian Niesen (www.fabian-niesen.de)
Filename   : get-GPOBackup.ps1
Requires   : PowerShell Version 3.0
Version    : 1.0
History    : 1.0   FN  17.01.2021  initial version
             

.LINK
https://www.infrastrukturhelden.de/
#>

Param()

$ErrorActionPreference = "Stop"

try { Import-Module activedirectory } catch { Write-Warning "ActiveDirectory Module ist missing. Please install first"; break }
$DCs =  Get-ADDomainController -Filter  { OperatingSystemVersion -like "*" }
Write-Output "Found $($DCs.count) Domain Controllers in Active Directory"
Write-Progress -activity "Query Eventlogs" -Status "starting" -PercentComplete "0" -Id 1
[int]$i = "0"
ForEach ($DC in $DCs)
{
$i++
Write-Progress -activity "Query Eventlogs" -Status "$($DC.HostName)" -PercentComplete ((($i / $DCs.count)*100)-5) -Id 1
Write-Output $DC.HostName
Get-EventLog -ComputerName $DC.HostName -LogName "System" | Where-Object { $_.EventID  -eq 5829 -or $_.EventID  -eq 5827 -or $_.EventID  -eq 5828 } | select -First 10
}

Leave a comment