Netlogon Service Configuration in Active Directory

Netlogon Service Configuration in Active Directory and Member Servers

By John Gates

December 9th, 2021

Netlogon Service:

Netlogon Service is a Microsoft Windows Server process used to validate or authenticate users and devices in a domain. It is used to confirm the user's identity on any particular network that the user is trying to access. Netlogon is a process, not an application, therefore it is continuously running in the background. It can be stopped either manually or by some runtime error.

The following post will cover:

Netlogon service in domain controllers
Netlogon vulnerability
Netlogon security recommendations
Netlogon UI path
Netlogon registry
Netlogon default value
Netlogon Service Use for Communication in Active Directory Domain Controllers
Netlogon Service - Verification of NTLM
Netlogon Registration of Domain Controllers Records in the DNS

Netlogon Service in Domain Controllers:

Netlogon Service settings dictate whether the DC (Domain Controller) bypasses secure RPC for Netlogon secure channel connections for the specific user accounts.

These settings should be applied across all domain controllers in a forest which can be achieved by enabling the policy on the domain controller's organizational unit.

When Netlogon is configured, you'll need to Create a Vulnerable List:

When the permission is set to 'allowed', the DC will allow accounts to use Netlogon Secure Channel without secure RPC.
When the permission is 'denied', the DC will require a secure RPC to be used by the accounts to use Netlogon Secure Channel.

Netlogon Vulnerability:

Devices that are joined using the domain are exposed to attacks when Netlogon is enabled. In addition, the Active Directory Forest is also exposed to security risks. Attackers can establish a vulnerable Netlogon channel using the MS-NRPC protocol to elevate their privileges in the system.

Netlogon Security Recommendations:

The recommendation is not to use Netlogon to prevent oneself from potential vulnerabilities and threats. This policy should only be used by 3^rd party devices in the forest to deploy updates as expedient.

The Center for Internet Security recommends the following: Ensure ‘Domain controller: Allow vulnerable Netlogon secure channel connections’ is set to ‘Not Configured’

Hardening Tools 101

The recommended configuration can be manifested through Group Policy or hardening automation tools. For this purpose, set Netlogon UI path to "Not Configured":

Netlogon UI Path:

Computer Configuration\Policies\Windows Settings\Security Settings\Local Policies\Security Options\Domain controller: Allow vulnerable Netlogon secure channel connections

Make sure that the above-mentioned UI path is set as prescribed. The group policy is backed by the below mentioned "Registry Key":

Netlogon Registry Settings:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Netlogon\Parameters:VulnerableChannelAllowList

If the group policy is set as prescribed then registry key "VulnerableChannelAllowList" will not be present in the above-mentioned registry location.

Netlogon Default Value:

By default, Netlogon is set to Not Configured. No user accounts or machines are unambiguously excepted from secure RPC with the connection's enforcement of Netlogon secure channel.

Netlogon Service Use for Communication in Active Directory Domain Controllers:

Netlogon Service is present in every Windows NT Workstation, Server, and Domain Controller. Netlogon service is accountable for the communication between systems whenever there is a logon request, a request for domain synchronization, and when a request to promote BDC (Backup Domain Controller) to PDC (Primary Domain Controller) is received. Netlogon Service conducts a number of tasks while servicing logon requests, some of them are mentioned below:

Selecting a target domain for logon authentication
Identifying the domain controller in the target domain to perform authentication
Creating a secure channel for communication in Netlogon Services between the cradle and the target systems
Passing the authentication request to identified Domain Controller
Returning the authentication results to the Netlogon Service on the cradle system

Netlogon Service - Verification of NTLM:

Netlogon service is used in verifying New Technology Lan Manager (NTLM) logon requests. It locates, registers, and authenticates Domain Controllers when logging on.

NTLM Vulnerabilities Review

Netlogon Registration of Domain Controllers Records in the DNS:

The registration of SRV records, CNAME, and DC records in the DNS are performed by Netlogon Service. This advertises the availability of Domain Controllers in the domain.

Netlogon Service stores the SRV records in C:\Windows\System32\Config\NetLogon.DNS
The SRV records are registered every 24 hours depending on the OS (Operating System) version using the Netlogon Service.
Netlogon registers the SRV records of sites where there is no DC, also known as Site Coverage.

Cookie	Duration	Description
cookielawinfo-checbox-analytics	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics".
cookielawinfo-checbox-functional	11 months	The cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional".
cookielawinfo-checbox-others	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other.
cookielawinfo-checkbox-necessary	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".
cookielawinfo-checkbox-performance	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance".
PHPSESSID	session	This cookie is native to PHP applications. The cookie is used to store and identify a users' unique session ID for the purpose of managing user session on the website. The cookie is a session cookies and is deleted when all the browser windows are closed.
viewed_cookie_policy	11 months	The cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data.
_GRECAPTCHA	5 months 27 days	This cookie is set by Google. In addition to certain standard Google cookies, reCAPTCHA sets a necessary cookie (_GRECAPTCHA) when executed for the purpose of providing its risk analysis.
__cfduid	1 month	The cookie is used by cdn services like CloudFare to identify individual clients behind a shared IP address and apply security settings on a per-client basis. It does not correspond to any user ID in the web application and does not store any personally identifiable information.

Cookie	Duration	Description
bcookie	2 years	This cookie is set by linkedIn. The purpose of the cookie is to enable LinkedIn functionalities on the page.
lang	session	This cookie is used to store the language preferences of a user to serve up content in that stored language the next time user visit the website.
lidc	1 day	This cookie is set by LinkedIn and used for routing.
__stidv	1 year	This cookie is used by ShareThis. This cookie is used for sharing the content from the website to social networks.

Cookie	Duration	Description
YSC	session	This cookies is set by Youtube and is used to track the views of embedded videos.
_gat	1 minute	This cookies is installed by Google Universal Analytics to throttle the request rate to limit the colllection of data on high traffic sites.

Cookie	Duration	Description
_ga	2 years	This cookie is installed by Google Analytics. The cookie is used to calculate visitor, session, campaign data and keep track of site usage for the site's analytics report. The cookies store information anonymously and assign a randomly generated number to identify unique visitors.
_gid	1 day	This cookie is installed by Google Analytics. The cookie is used to store information of how visitors use a website and helps in creating an analytics report of how the website is doing. The data collected including the number visitors, the source where they have come from, and the pages visted in an anonymous form.
__stid	1 year	The cookie is set by ShareThis. The cookie is used for site analytics to determine the pages visited, the amount of time spent, etc.

Cookie	Duration	Description
bscookie	2 years	This cookie is a browser ID cookie set by Linked share Buttons and ad tags.
IDE	1 year 24 days	Used by Google DoubleClick and stores information about how the user uses the website and any other advertisement before visiting the website. This is used to present users with ads that are relevant to them according to the user profile.
test_cookie	15 minutes	This cookie is set by doubleclick.net. The purpose of the cookie is to determine if the user's browser supports cookies.
VISITOR_INFO1_LIVE	5 months 27 days	This cookie is set by Youtube. Used to track the information of the embedded YouTube videos on a website.