Important information for organizations who have Microsoft Windows Server 2008 Domain Controllers or with unsupported systems.
In September of last year, Homeland Security Cybersecurity & Infrastructure Security Department issued an Emergency Directive regarding the Windows Server Netlogon Elevation of Privilege Vulnerability. This vulnerability allows an attacker, who has already compromised a network, to move laterally. Without credentials (username and password), the hacker is able to take over Windows domain controllers via insecure connections.
Systems Engineering clients with managed patching service and monitoring contracts with supported operating systems (Windows server 2012, 2012 R2, 2016, and 2019) received the critical security patch update to address this vulnerability. The update ensures secure connections to domain controllers on all supported operating systems. This patch was phase 1 of a two-part security feature rollout by Microsoft.
On February 9, 2021, Microsoft announced phase 2. This second phase involves the enforcement of secure domain controller connections. Enforcement will be applied with security updates moving forward and accomplished via a system update.
Be advised that once enforcement is applied, older, unsupported operating systems attempting to make insecure connections to their network domain controller may be denied. This means those running end-of-life Windows 2008 server domain controllers on-premises will not receive this critical patch and will remain at high-risk for the CVE-2020-1472 vulnerability.
Course of Action
If you are running an unsupported operating system within your business, here's what you can do:
- Upgrade end-of-life operating systems to a supported operating system.
Upgrading is your most secure, safest option. We can not recommend this course of action strongly enough.
- Purchase Extended Support Update (ESU) licensing to allow older operating systems to receive critical security updates. ESU licensing will allow them to communicate with domain controllers securely.
- This option delays the inevitable and comes with extra costs.
- Control insecure connections to domain controllers with a Group Policy to allow functionality.
This final option comes with considerable risk and is not a long-term fix. Before you move forward, we recommend you investigate and understand the risks and decide if your business is willing to accept them.
Systems Engineering highly discourages customers from utilizing unsupported operating systems. It puts your business's network and its data at serious risk.
Currently, we have not observed significant impact across our customer-base. Clients please note: Work done by Systems Engineering to remediate this issue on any unsupported, outdated systems will be outside contract terms.
Systems Engineering will be reaching out to clients with managed endpoints, servers, and workstations that are at risk due to this new requirement from Microsoft.
If you have questions about this security alert, please reach out to your Account Manager.