Netlogon is one kind of security process in Microsoft Windows server. It authenticates or allows users or devices in a domain service. When a user tries to get access to any particular network, Netlogon confirms the identity of that user and grants permission to access. So, Netlogon is a process rather than an application. For this, it always runs in the background unless someone intentionally turns it off or runtime error.
What Activities Netlogon Service Provide on Your PC
Netlogon service performs activities when someone sends the network logon request. The activities are given below:
- For login authentication, Netlogon selects the target domain.
- To give authentication on the target domain, it identifies a domain controller.
- It secures the channel between the Domain Controller (DC) and the client. It creates secure channels to pass the authentication packets.
- Appropriate DC gets an authentication request through Netlogon.
- The client gets the original authentication result through Netlogon.
- For passing through authentications, Netlogon is an important component.
How to Start Netlogon Service on Windows 10
- Type “services” in the Start search box and open Services.
- Find Netlogon and double-click to open its properties.
- Click Start to start the Netlogon service and then click OK.
What is the Vulnerability of Netlogon?
The domain of the devices that are allowed by Netlogon remains exposed. On the other side, the Active Directory Forest (ADF) is also exposed to the attackers which creates a great security risk. The attacker uses MS-NRPS protocol to establish a vulnerable Netlogon channel to get an advantage from the system.
A vulnerable Netlogon named Zerologon which is also known as CVE-2020-1472 was caused by a vulnerability that was rated as hazardous vulnerability 10 out of 10 by The Common Vulnerability Scoring System (CVSS). A cryptography bug was used to make the weakness in Microsoft’s Active Directory Netlogon Remote Protocol.
What are the Security Recommendations for Netlogon?
You are recommended to use a 3rd party device to deploy updates as expedient in the forest rather than using Netlogon to prevent threats and vulnerabilities. For this, you need to go to the Netlogon UI path and ensure “Domain controller: Allow vulnerable Netlogon secure channel connections is set” to Not Configured.
Netlogon UI Path
Computer Configuration\Policies\Windows Settings\Security Settings\Local Policies\Security Options\Domain controller: Allow vulnerable Netlogon secure channel connections.
Set the UI path as prescribed then check the registry key below.
Netlogon Registry Path
You will not able to find the registry key “VulnerableChannelAllowList” to the registry location if the group policy is set as prescribed.
Frequently Asked Questions
What is a non-compliant device?
The device which uses a vulnerable Netlogon secure channel connection is non-compliant.
Where is the Netlogon folder?
There is no folder of Netlogon that can be found on local storage. You only can find the shared folder which contains the group policy logon scripts and other executable files.
You can find the Netlogon on the following path:
Does LDAP use Netlogon?
LDAP Schema has not mentioned any Netlogon attributes.
Does Windows 10 have CVE 2020 1472?
CVE-2020-1472 is the critical ranked (10/10) CVSSv3. The flaw is still contained in the most supported version of Windows server from 2008 to 2019.
Netlogon is mandatory for authenticating users and services and maintaining a secure channel between computers. The main function of Netlogon is the verification of NTLM logon request, locating registers and authenticating the domain controller during logon.