ZeroLogon Registry Check

Check Registry For ZeroLogon Vuln Status

Description

This procedure checks to see if machines have had the Microsoft patch installed to protect machines from the ZeroLogon exploit.
Microsoft have release a number of patches that address this issue - August Cumulative update, September Cumulative update, August Security Only Update and so on.
This agent procedure checks for the existence of a specific registry key - HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Netlogon\Parameters\FullSecureChannelProtection
Regardless of the patch type that is installed, this key is created by the patch that addresses this issue.
This agent procedure will update a custom field called "zeroLogonVuln" with 4 possible options

"Vulnerable" - The registry key does not exist, so the machine has not received any patch that addresses this issue
"Patched - 0" - The registry key was found, and currently has the value 0
"Patched - 1" - The registry key was found, and currently has the value 1
"Unsupported OS" - If the agent is not a Windows OS, you will see this message.

Microsoft is releasing this patch as 2 parts, the first part is to create the registry key and set the value to 0. They aim to then release a later patch, currently targetted for February 2021, which will set this value to "1".
Further information can be found here - https://support.microsoft.com/en-us/help/4557222/how-to-manage-the-changes-in-netlogon-secure-channel-connections-assoc

The procedure will also create an Agent Procedure Log entry, starting with "zeroLogonResult: ".

Using the Custom Field, you can filter machines in the interface and use the agent procedure log entry to report.

NB. This procedure makes no changes to the endpoint - it simply reads a registry value - there are no files to be delivered or modifications to the endpoint.

Developer
  • Name: Kaseya Automation Team
  • Company: Kaseya
  • Website: http://www.kaseya.com
  • Contact Developer
  • Summary
  • ZeroLogon Registry Check
  • 103 Downloads
  • Version:
  • Initially Released September 17th, 2020
  • Reviews

    ZeroLogon Registry Check has no reviews.

    Discussion
    Gravatar for Paul Mirano
    Paul Mirano 7 months ago

    Importing the XML doesn't work.  It shows "File not Uploaded."

    Gravatar for Burton Steele
    Burton Steele 7 months ago

    Running this returns errors "Failed THEN in step 5 line 13" when running it. 

    Gravatar for Eugene Lim
    Eugene Lim 7 months ago

    @Burton Steele

    Please create a Custom Field called "zeroLogonVuln" as type "String" and the the Agent Procedure shall work.