This might help you to understand how August Patch works
Event ID's 5829-31 Not Visible in Domain Controller logs after August 2020 Patches
Hello, we have applied the August 2020 patches on our Domain Controllers but do not see any logs with Event ID 5829-5831 since the updates. There is at least one Server 2003 machine (i.e. out of support OS) on our domain which I assume is still using insecure Netlogon but I can't confirm this as I don't see it reflected anywhere in the logs.
My suspicion was that we might have to enable and configure the included GPO: "Domain controller: Allow vulnerable Netlogon secure channel connections", but I don't want to enable it and then "allow" vulnerable connections just to test this.
We also have non-Windows devices on our domain and I'm sure some of them are using insecure Netlogon connections to the DC's. Does anyone know how I can get the results I need in event viewer? I would like to be ready for the enforcement phase in February.
Thanks.
6 additional answers
Sort by: Most helpful
-
DonPick 1,261 Reputation points
2020-10-03T00:27:10.467+00:00 https://support.microsoft.com/en-us/help/4557222/how-to-manage-the-changes-in-netlogon-secure-channel-connections-assoc states in the FAQ section that WS2008SP1 is not vulnerable as it doesn't use AES for secure RPC.
So it could also be true that WS2003 doesn't use it either, so it's not vulnerable to this? If so, then that's why you're not seeing any events logged?You could use wireshark or netmon or message analyser, to capture the packets, and analyse the cipher in use?
-
atekkof 21 Reputation points
2020-10-08T13:01:05.663+00:00 sganesamoorhty-0877 - from the link you posted:
Is the August 2020 patch will affect the non-secure clients?
NO: There is no impact as this is Enforcing secure RPC usage only for the Windows based devices which is supported natively without any outage unless you have very old legacy Windows Operating systems (OS)
"Windows 2000 and above are not impacted"
That seems to answer the questions about Server 2003, but I do have non-Windows devices running as well. I guess I'm fully patched and I can just dig my head in the sand from here on out.
The "Test-ComputerSecureChannel" CMD would be great if it could be run against all machines in a domain without Powershell remoting to each one. I guess I"ll wait until Nessus has a module that can test this.
Thanks a lot for all the help guys.