Detecting the Windows domain controller vulnerability? (CVE-2020-1472)
Specifically, this part:
Deploy the August 11th updates to all applicable domain controllers (DCs) in the forest, including read-only domain controllers (RODCs). After deploying this update patched DCs will:
- Begin enforcing secure RPC usage for all Windows-based device accounts, trust accounts and all DCs.
- Log event IDs 5827 and 5828 in the System event log, if connections are denied.
- Log event IDs 5830 and 5831 in the System event log, if connections are allowed by "Domain controller: Allow vulnerable Netlogon secure channel connections" group policy.
- Log event ID 5829 in the System event log whenever a vulnerable Netlogon secure channel connection is allowed. These events should be addressed before the DC enforcement mode is configured or before the enforcement phase starts on February 9, 2021.