Zerologon Needs More Than a Patch: How Federal IT Teams can Remediate This Vulnerability

12.21.2020 | Egon Rinderer, Global Vice President and Federal Chief Technology Officer, Tanium

The Zerologon vulnerability that spurred a rare emergency order by the Cybersecurity and Infrastructure Security Agency (CISA) continues to pose a threat – specifically to the federal civilian executive branch. 

CISA requires all federal agencies to immediately apply the Windows Server August 2020 security update or disconnect from federal networks. The software update Netlogon EoP – or Zerologon – mitigates a critical vulnerability in the Windows Netlogon Remote Protocol server interface. Netlogon allows devices to authenticate to the domain controller (DC) and update their password in the Active Directory (AD). Netlogon is designed for maintaining relationships between members of domains and the DC, or between multiple DC locations. This is the first of two updates Microsoft has planned to address the vulnerability. 

Zerologon impacts on federal systems

Zerologon is perhaps one of the most significant vulnerabilities to hit in a long time. In recent articles in Cyber Defense Magazine and Defense Systems, I discuss the roadblocks of closing the Zerologon vulnerability and outline steps federal IT teams can take to determine the current risk level.

It is routine for federal systems to go through patches and software updates to improve security vulnerabilities cybercriminals may exploit. While software vendors release critical patches with the intent of protecting the organizations, sometimes the patch unintentionally creates other network issues.

In the case of Zerologon, Microsoft knew there would be compatibility issues before the launch, which explains the complexity in the response and guidance. Since an agency’s active directory rarely, if ever, gets rebuilt or replaced, a skilled cybercriminal could gain long-term, full administrative persistence inside the network – without anyone knowing.

A long-term plan for cyber defense

Zerologon isn’t an issue you can simply patch. Remediation requires multiple steps and repeated validation. Meanwhile, tactics by cybercriminals are evolving daily – so it’s critical to routinely update systems to prevent breaches.

To fix vulnerabilities within Zerologon, agencies with the patch should turn to Microsoft guidance and update their infrastructure.

Agencies that use Microsoft Windows are better served by taking a holistic risk management approach, using comprehensive, accurate, and real-time data from a single source to reduce risk and improve security. By aligning security and operations teams on Tanium’s unified endpoint management and security platform, agencies can break down the data silos and close the visibility and resiliency gaps between teams. It’s time to demand that solutions do more to perform ongoing, real-time assessment.

A unified endpoint management platform gives agencies end-to-end visibility across DCs, end-users, servers, and cloud endpoints. You’ll then have the ability to identify assets, protect systems, detect threats, respond to attacks, and recover at scale.


To read the full articles, visit Cyber Defense Magazine and Defense Systems. Watch how Tanium can help agencies remediate the Zerologon vulnerability.