Netlogon Service is a Microsoft Windows Server process used to validate or authenticate users and devices in a domain. It is used to confirm the user's identity on any particular network that the user is trying to access. Netlogon is a process, not an application, therefore it is continuously running in the background. It can be stopped either manually or by some runtime error.
The following post will cover:
- Netlogon service in domain controllers
- Netlogon vulnerability
- Netlogon security recommendations
- Netlogon UI path
- Netlogon registry
- Netlogon default value
- Netlogon Service Use for Communication in Active Directory Domain Controllers
- Netlogon Service - Verification of NTLM
- Netlogon Registration of Domain Controllers Records in the DNS
Netlogon Service in Domain Controllers:
Netlogon Service settings dictate whether the DC (Domain Controller) bypasses secure RPC for Netlogon secure channel connections for the specific user accounts.
These settings should be applied across all domain controllers in a forest which can be achieved by enabling the policy on the domain controller's organizational unit.
When Netlogon is configured, you'll need to Create a Vulnerable List:
- When the permission is set to 'allowed', the DC will allow accounts to use Netlogon Secure Channel without secure RPC.
- When the permission is 'denied', the DC will require a secure RPC to be used by the accounts to use Netlogon Secure Channel.
Devices that are joined using the domain are exposed to attacks when Netlogon is enabled. In addition, the Active Directory Forest is also exposed to security risks. Attackers can establish a vulnerable Netlogon channel using the MS-NRPC protocol to elevate their privileges in the system.
Netlogon Security Recommendations:
The recommendation is not to use Netlogon to prevent oneself from potential vulnerabilities and threats. This policy should only be used by 3rd party devices in the forest to deploy updates as expedient.
The Center for Internet Security recommends the following: Ensure ‘Domain controller: Allow vulnerable Netlogon secure channel connections’ is set to ‘Not Configured’
The recommended configuration can be manifested through Group Policy or hardening automation tools. For this purpose, set Netlogon UI path to "Not Configured":
Netlogon UI Path:
Computer Configuration\Policies\Windows Settings\Security Settings\Local Policies\Security Options\Domain controller: Allow vulnerable Netlogon secure channel connections
Make sure that the above-mentioned UI path is set as prescribed. The group policy is backed by the below mentioned "Registry Key":
Netlogon Registry Settings:
If the group policy is set as prescribed then registry key "VulnerableChannelAllowList" will not be present in the above-mentioned registry location.
Netlogon Default Value:
By default, Netlogon is set to Not Configured. No user accounts or machines are unambiguously excepted from secure RPC with the connection's enforcement of Netlogon secure channel.
Netlogon Service Use for Communication in Active Directory Domain Controllers:
Netlogon Service is present in every Windows NT Workstation, Server, and Domain Controller. Netlogon service is accountable for the communication between systems whenever there is a logon request, a request for domain synchronization, and when a request to promote BDC (Backup Domain Controller) to PDC (Primary Domain Controller) is received. Netlogon Service conducts a number of tasks while servicing logon requests, some of them are mentioned below:
- Selecting a target domain for logon authentication
- Identifying the domain controller in the target domain to perform authentication
- Creating a secure channel for communication in Netlogon Services between the cradle and the target systems
- Passing the authentication request to identified Domain Controller
- Returning the authentication results to the Netlogon Service on the cradle system
Netlogon Service - Verification of NTLM:
Netlogon service is used in verifying New Technology Lan Manager (NTLM) logon requests. It locates, registers, and authenticates Domain Controllers when logging on.
Netlogon Registration of Domain Controllers Records in the DNS:
The registration of SRV records, CNAME, and DC records in the DNS are performed by Netlogon Service. This advertises the availability of Domain Controllers in the domain.
- Netlogon Service stores the SRV records in C:\Windows\System32\Config\NetLogon.DNS
- The SRV records are registered every 24 hours depending on the OS (Operating System) version using the Netlogon Service.
- Netlogon registers the SRV records of sites where there is no DC, also known as Site Coverage.