August 2020 patch for Netlogon secure channel connections vulnerability - win7 deniced connection

David Moon 581 Reputation points
2020-09-23T06:47:07.133+00:00

Hi All
After applying the August 2020 patch to cover the zerologon vulnerability, i have noticed some Win7's being denied connection with eventid 5827.
I thought all Windows machines will be using secure channel by now. So wondering why i am seeing several win7's showing up in the event logs.
I have even seen one Win10 show up with 5827.

Thanks
DM

Windows
Windows
A family of Microsoft operating systems that run across personal computers, tablets, laptops, phones, internet of things devices, self-contained mixed reality headsets, large collaboration screens, and other devices.
5,496 questions
{count} votes

Accepted answer
  1. Hannah Xiong 6,276 Reputation points
    2020-09-23T07:33:13.5+00:00

    Hello,

    Thank you so much for posting here.

    Deploy the August 11th updates to all applicable domain controllers (DCs) in the forest, including read-only domain controllers (RODCs). After deploying this update patched DCs will:

    Begin enforcing secure RPC usage for all Windows-based device accounts, trust accounts and all DCs.
    Log event IDs 5827 and 5828 in the System event log, if connections are denied.
    Log event IDs 5830 and 5831 in the System event log, if connections are allowed by "Domain controller: Allow vulnerable Netlogon secure channel connections" group policy.

    Event ID 5827 will be logged when a vulnerable Netlogon secure channel connection from a machine account is denied.

    Addressing event IDs 5827 and 5828

    By default, supported versions of Windows that have been fully updated should not be using vulnerable Netlogon secure channel connections. If one of these events is logged in the system event log for a Windows device:

    1.Confirm that the device is running a supported versions of Windows.
    2.Ensure the device is fully updated.
    3.Check to ensure that Domain member: Digitally encrypt or sign secure channel data (always) is set to Enabled.

    For more information, we could refer to:
    https://support.microsoft.com/en-us/help/4557222/how-to-manage-the-changes-in-netlogon-secure-channel-connections-assoc

    For any question, please feel free to contact us.

    Best regards,
    Hannah Xiong

    ============================================

    If the Answer is helpful, please click "Accept Answer" and upvote it.
    Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.

    0 comments No comments

0 additional answers

Sort by: Most helpful

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.