Zerologon – Restoring security through Patch and Docusnap

Last updated: December 1, 2021

A colourful world with weak points

Threats in the IT sector have existed since IT in and of itself. And since we have all been roaming the World Wide Web, there is hardly anyone who works with computers and has never come into contact with a virus, Trojan or similar. The notorious encryption Trojans, which restore the original state and remove the encryption for a fee with BitCoins, are probably just as common these days. Or not.

No matter what effects these viruses and Trojans have. They can be predicted with a little knowledge and some common sense. Anyone who carelessly opens e-mails with attachments or hangs around on dubious sites is downright challenging. Those who exercise care here will hardly expose themselves to a threat scenario. In addition, there is now a proper and, above all, always up-to-date protection mechanism under Windows, called Windows Defender.

Hands up, this is a robbery

It would be easy to limit the threats to these species. Unfortunately, however, there are much more tricky mechanisms that can cause great damage, especially in today’s complex IT environment. And the worst thing is that a user and even the administrator can’t see the threat coming. An announcement by the attacker to jeopardise their company now and take control does not come.

What is meant here are security gaps that lie dormant in the millions and millions of lines of code in our programs and operating systems. Yes, it is true. Many of these security holes are well documented and have often been closed after detection. Moreover, the exploitation of these vulnerabilities often only works in the laboratory and is usually linked to very well designed requirements.

But there are also security gaps where things work completely differently. These are dangerous and are not easily detected even by experienced IT security experts. And even if the danger is recognised in good time, a great deal of work is required to close these gaps “completely”.

Zerologon – the login without login

To show this real existing danger, we dedicate this blog article to the security gap Zerologon, what it means, how to detect it and how to counter it.

Zerologon is a security hole in the Microsoft Windows Netlogon Remote Protocol (MS-NRPC). This vulnerability allows attackers to change the password of a Windows server (especially domain controllers) or start corresponding processes from any Active Directory (AD)-integrated computer due to a flaw in the authentication protocol.

We will not go into more detail at this point. There is more than enough information on the Internet with all the details about this particular security hole. And countless instructions on how outside persons can gain access to your unprotected server have also been distributed for months.

The concern for security

Who does not need to worry a lot?

Yes, there is such a thing as “security gap deniers” in the IT industry. Common statements such as “we’re much too small and uninteresting for the crooks” or “the boss patches us personally, nothing can go wrong” are certainly not heard for the first time in one way or another.

In fact, a small company that only runs one server by a competent IT team is relatively secure. Competent means that the people in charge not only take care of smooth day-to-day operations, but also install the necessary updates and security patches on the server(s). Knowledge of security gaps is also part of the core competence of a good IT department. This is also the case with the Zerologon vulnerability. Since August, Microsoft has provided a security patch that closes the gap for the most part.

Not complicated, but complex

It becomes much more difficult for companies if more than just one or two servers are operated. For years many server operating systems have been used as virtual instances. Domain controllers, terminal servers, Exchange (or other mail servers), SQL servers with databases, backup servers. The number of server operating systems in use has increased almost inflationarily in recent years.

On top of this are companies that operate more than one location and also operate an IT landscape there. Although the IT is controlled by the central IT department, there are often only small support teams at the locations, which can only take over rudimentary tasks such as backups and maintenance of daily operations. As a rule, the number of servers to be supported grows with each location. And with every server the danger that it has been overlooked or “put on the back burner” increases. “The server is part of the productive environment and cannot simply be shut down! There are many excuses or explanations why it has not yet been possible to update.

Someone has to take the rap

However, in every company there are responsible persons. One is responsible for fire protection, the other for data protection. For all areas someone has a responsibility. And the IT manager? He takes the rap when a small server of the branch office is located in Hinterobertupfing and generously communicates business data with the outside world.

Now, at the latest, everyone who has a comprehensively documented IT landscape can sit back and relax. And a broad smile is noticeable among those who trust in Docusnap.

We will show you here how easy it is to check the current patch status of all our servers in use with Docusnap 11 and have it evaluated in a report.

With just a few mouse clicks you can find out the current status of all servers and simply set a filter on those servers that are not yet equipped with the necessary security patch.

This makes a complete installation easy to plan and no system can be forgotten. So one of the main dangers is already closed. But the real job is just beginning.

The security patches for the Windows servers fix the error, but another not uncritical gap remains. Up to now the client devices can still connect to the server without encryption using the Netlogon protocol. Of course, this can already be prevented on the server side and Microsoft itself has already taken the precautions that probably 02/2021 no more unencrypted connections with the servers will be possible.

But that doesn’t solve the problem either, if there are still machines out there in our organisation that try to connect to the servers unencrypted. And in order to find out about these machines, we need to regularly check the logon logs of the servers for specific IDs. A tedious job, which can be quite time consuming and error-prone. And as a great additional task, this check must be carried out at regular intervals.

You already suspect it. Instead of naming a lucky person for each branch office who continuously sifts through the server log files, we will show you how advantageously and quickly we can track down the problem devices with Docusnap.

Once again, Docusnap collects all relevant data centrally and presents it as a generated report with the current data. With the help of this information, all unsecure connections can then be investigated and shut down.

The best comes last

Apart from the actual rollout of security updates and patches, finding vulnerable and insecure systems with Docusnap takes less time than it takes us to read this blog.

Those who already have experience with Docusnap know that all relevant data is already waiting in the background in a database to be evaluated. Docusnap provides in its current version 11 immediately usable templates to mercilessly point out these security holes in the entire company network.

Only the closing of the gaps, i.e. the application of patches and the establishment of secure connections, has to be done by ourselves or at least commissioned by us.
That’s Docusnap: