Event ID 5827 Netlogon - 34,000 times in the last MONTH

[Jonathan Raper]

So I get a call from a client who says scanning from an MFP failed after running updates in early January. Thinking they had somehow borked SMB, I check that, it’s on. I ask about the credentials, and they swear they haven’t changed. I try to browse to the destination server and get a Trust Relationship error....ok, that could be an issue....

I check the file server logs and it has a few hundred entries of Event ID 3210 with source Netlogon stating that it could not authenticate to either DC....dating back to Sept 27, which is (not surprisingly) when the update Rollup that addresses that CVE I mention below was installed on both DCs....(KB4566425).

Then I go to the event logs of both of the DCs (2012R2), and they are both FILLED with Event ID 5827 with source Netlogon.

I’ll be honest and say I had forgotten about this one, (CVE-2020-1472) but I know M$ is switching to enforcement phase starting Feb 9....

https://support.microsoft.com/en-us/topic/how-to-manage-the-changes-in-netlogon-secure-channel-connections-associated-with-cve-2020-1472-f7e8cc17-0309-1d6a-304e-5ba73cd1a11e

But 34,000 events in 45 days?!? Has anyone else seen this? They don’t have very many workstations....less than 50....so the number of events was quite unexpected....

Thanks,

Jonboy

Get Outlook for iOS

[Kurt Buff, GSEC/GCIH/PCIP]

Sounds like their machines are banging away multiple times per minutes - don't know how/when to quit.

Kurt

--
You received this message because you are subscribed to the Google Groups "ntsysadmin" group.
To unsubscribe from this group and stop receiving emails from it, send an email to ntsysadmin+...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/ntsysadmin/CS1PR8401MB07752840F02BF6928E9D5E4BA9B49%40CS1PR8401MB0775.NAMPRD84.PROD.OUTLOOK.COM.

[Charles F Sullivan]

When I monitor for the 5827 events, I'll get hugely disproportionate numbers of them across machines. My responsibility is to inform the people who support the machines that they either need to upgrade, patch or reimage to resolve the issue. I know...getting people to act on it is another matter.

I would just concentrate my efforts on the getting the issue resolved. (It's possible that you have machines banging away on the network because they are unpatched and thus compromised, but who knows?)

To view this discussion on the web visit https://groups.google.com/d/msgid/ntsysadmin/CADy1Ce5gnzCLC%3DmJrkW_s3tbRt9JZp58ktbDBCjzkt38onVesg%40mail.gmail.com.

--

Charlie Sullivan

Principal Windows Systems Administrator

Boston College

197 Foster St. Room 367

Brighton, MA 02135

617-552-4318

[Jonathan Raper]

So this was fun....

Turns out that at some point someone apparently thought it would be a good idea to completely disable multiple settings in both the Default Domain Policy and the Default Domain Controller Policy. *facepalm*

After reverting to defaults, most of the errors seem to be clearing up.

One 2012 R2 member server (which also happens to be a Hyper-V host)  doesn’t seem to want to play nice, though. I’ve tried resetting the machine account password, and even disjoin/reboot/rejoin/reboot, all to no avail. When it comes up it generates an Event 5827 on whichever DC it happens to hit, and a 3210 on itself stating that it could not authenticate with the DC....

I’m pulling my hair out on this one. Anyone got any ideas?

Thanks,

Jonboy

Get Outlook for iOS

---

From: ntsys...@googlegroups.com <ntsys...@googlegroups.com> on behalf of Charles F Sullivan <charles.s...@bc.edu>
Sent: Wednesday, February 3, 2021 10:52:39 AM
To: ntsys...@googlegroups.com <ntsys...@googlegroups.com>
Subject: Re: [ntsysadmin] Event ID 5827 Netlogon - 34,000 times in the last MONTH

 

To view this discussion on the web visit https://groups.google.com/d/msgid/ntsysadmin/CAEuHzz%3DFZCwPEgOwMkoVcbBUVL8c02%3DU4%3D8BTh3s77JOFfHkyg%40mail.gmail.com.

[don.l....@gmail.com]

>> When it comes up it generates an Event 5827 on whichever DC it happens to hit, and a 3210 on itself stating that it could not authenticate with the DC....

 

5827=connection_refused.  Your options are: patch the client/member, or, exempt the client/member (by setting the GPO and apply to all DC’s)

 

If it’s WS2012R2, there’s gotta be missing patches, right? Unless the client/member has been configured-locked to not-secure
https://docs.microsoft.com/windows/security/threat-protection/security-policy-settings/domain-member-digitally-encrypt-or-sign-secure-channel-data-always

 

 

DonP

 

From: Jonathan Raper
Sent: Thursday, 4 February 2021 5:15 PM
To: ntsys...@googlegroups.com
Subject: Re: [ntsysadmin] Event ID 5827 Netlogon - 34,000 times in the last MONTH

 

So this was fun....

 

Turns out that at some point someone apparently thought it would be a good idea to completely disable multiple settings in both the Default Domain Policy and the Default Domain Controller Policy. *facepalm*

 

After reverting to defaults, most of the errors seem to be clearing up.

 

One 2012 R2 member server (which also happens to be a Hyper-V host)  doesn’t seem to want to play nice, though. I’ve tried resetting the machine account password, and even disjoin/reboot/rejoin/reboot, all to no avail. When it comes up it generates an Event 5827 on whichever DC it happens to hit, and a 3210 on itself stating that it could not authenticate with the DC....

 

I’m pulling my hair out on this one. Anyone got any ideas?

 

Thanks,

 

Jonboy

 

Get Outlook for iOS

To view this discussion on the web visit https://groups.google.com/d/msgid/ntsysadmin/CS1PR8401MB0775C1AA7370D24116E2EF68A9B39%40CS1PR8401MB0775.NAMPRD84.PROD.OUTLOOK.COM.

 

[Jonathan Raper]

Thanks Don - that was what I was thinking, but the system appeared to be fully patched.

I then looked again at the Default Policies (right AFTER I sent that last email)....

Somehow the settings reverted. Maybe a gremlin, maybe I didn’t commit them, or maybe I overwrite them when I was doing a stew and compare....but I corrected them, ran a couple of GPUpdate refreshes, and the 5827 events seem to have stopped altogether.

As a friend of mine said to me....

“Fixing multiple issues..... by correcting somebody else's change.... that didn't make any sense [to begin with]”

GO FIGURE!

Thanks,

Jonboy 

Get Outlook for iOS

---

From: ntsys...@googlegroups.com <ntsys...@googlegroups.com> on behalf of don.l....@gmail.com <don.l....@gmail.com>
Sent: Thursday, February 4, 2021 3:26:54 AM
To: ntsys...@googlegroups.com <ntsys...@googlegroups.com>
Subject: RE: [ntsysadmin] Event ID 5827 Netlogon - 34,000 times in the last MONTH

 

To view this discussion on the web visit https://groups.google.com/d/msgid/ntsysadmin/3DA57105-3222-4637-A09F-B5C402211FCA%40hxcore.ol.

[Philip Elder]

Workgroup it. If you have a lot of them, then put DC’s in the parent partition and configure a dedicated ADDS/DNS for the hosts outside of the production network.

 

That leaves you Share Nothing Live Migration and Kerberos based replication if you want it. It also presents a security barrier between production and infrastructure where the backup server should also reside that could save your bacon if someone clicks something they shouldn’t.

 

Philip Elder MCTS

Senior Technical Architect

Microsoft High Availability MVP

E-mail: Phili...@MPECSInc.Ca

Phone: (780) 458-2028

www.CommodityClusters.Com

Blog Site

Twitter: MPECSInc

Skype: MPECS Inc.

 

Please note: Although we may sometimes respond to email, text and phone calls instantly at all hours of the day, our regular business hours are 8:00 AM - 5:00 PM, Monday thru Friday.

To view this discussion on the web visit https://groups.google.com/d/msgid/ntsysadmin/CS1PR8401MB0775C1AA7370D24116E2EF68A9B39%40CS1PR8401MB0775.NAMPRD84.PROD.OUTLOOK.COM.

[Klaus Hartnegg]

Am 03.02.2021 um 15:57 schrieb Jonathan Raper:
> So I get a call from a client who says scanning from an MFP failed after
> running updates in early January.

The best solution for such devicecs is usually to switch from SMB to
SMTP: configure them to send emails instead of saving on the server.

This is more secure (unpatchable systems should not know SMB passwords),
better for privacy (everybody gets the scan in their own email, not in a
shared directory), and there is no need to frequently cleanup that
shared directory.