Knowledgebase: You experience Warnings with EventID 5829 on Domain Controllers

Windows Server

In Microsoft-oriented networking infrastructures, your Active Directory Domain Controllers may suddenly experience high number of Warning events in the System log in Event Viewer (eventvwr.exe) with EventID 5829.

 

The cause

Microsoft has added this event by design to warn Active Directory administrators of vulnerable Netlogon connections, in terms of CVE-2020-1472. The eventID was added with the August 11, 2020 cumulative update, rollup update and security-only updates for all supported versions of Windows Server.

 

About CVE-2020-1472

A critical elevation of privilege vulnerability exists when an attacker establishes a vulnerable Netlogon secure channel connection to an Active Directory Domain Controller, using the Netlogon Remote Protocol (MS-NRPC). An attacker who successfully exploited the vulnerability could run a specially crafted application on a device on the network. To exploit the vulnerability, an unauthenticated attacker would be required to use MS-NRPC to connect to a Domain Controller to obtain domain administrator access.

The vulnerability applies to all supported versions of Windows Server:

  1. Windows Server 2008 R2
  2. Windows Serer 2012
  3. Windows Server 2012 R2
  4. Windows Server 2016
  5. Windows Server 2019
  6. Windows Server, version 1903
  7. Windows Server, version 1909
  8. Windows Server, version 2004

Note:
Both Full Installations and Server Core installations of Windows Server are affected by CVE-2020-1472.

The vulnerability was responsibly disclosed to Microsoft by Tom Tervoort of Secura.

 

About EventID 5829

In the August 11th, 2020 cumulative update for Windows Server, Microsoft has added five new EventIDs to notify Active Directory administrators of vulnerable Netlogon connections:

  • EventID 5827 and EventID 5828
    These EventIDs signal denied Netlogon connections. These EventID trigger if vulnerable Netlogon connections are denied.
  • EventID 5829
    EventID 5829 triggers whenever a vulnerable Netlogon secure channel connection is allowed in the timeframe between applying the August 11th, 2020 cumulative update and applying the February 9th, 2021 cumulative update.
  • EventID 5830 and EventID 5831
    EventID 5830 and EventID 5831 are triggered when vulnerable Netlogon connections are allowed by the "Domain controller: Allow vulnerable Netlogon secure channel connections" Group Policy setting.

Microsoft is addressing the vulnerability in a phased two-part rollout. The August 11th, 2020 update and the February 9th, 2021 update address the CVE-2020-1472 vulnerability by modifying how Netlogon handles the usage of Netlogon secure channels.

 

How to solve events with EventID 5829

There are two ways to solve the events in the System Log with EventID 5829:

  1. Update the device, service and/or appliance that sets up the vulnerable Netlogon connection to support secure RPC with Netlogon secure channel. For Windows-based devices, this means updating them with the latest Windows Updates.
    Check to ensure that the Domain member: Digitally encrypt or sign secure channel data (always) Group Policy setting is set to Enabled.
  2. Use the "Domain controller: Allow vulnerable Netlogon secure channel connections" group policy to add non-compliant accounts. This should only be considered a short-term remedy until non-compliant devices are addressed as described above.

Note:
The deadline for solving events with EventID 5829 is February 9th, 2021, as the February 9th, 2021 cumulative update will deny the vulnerable Netlogon connections associated with the Warnings with EventID 5829.

 

Further reading

CVE-2020-1472 | Netlogon Elevation of Privilege Vulnerability
How to manage the changes in Netlogon secure channel connections associated with CVE-2020-1472
[MS-NRPC]: Netlogon Remote Protocol 

2 Responses to Knowledgebase: You experience Warnings with EventID 5829 on Domain Controllers

leave your comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.