Security News > 2020 > September > DHS Orders Federal Agencies to Immediately Patch 'Zerologon' Vulnerability
The Department of Homeland Security on Friday issued an Emergency Directive that requires federal agencies to install fixes for a Netlogon elevation of privilege vulnerability for which Microsoft released patches in August 2020.
In its Emergency Directive 20-04, the DHS's Cybersecurity and Infrastructure Security Agency warns all federal agencies that applying Microsoft's patches is the only available mitigation for this critical vulnerability, aside from removing affected domain controllers from the environment.
Agencies are required to apply the Windows Server August 2020 security update to all domain controllers by Monday, September 21, 2020, at 11:59 PM EDT. In addition to installing the August 2020 patches, agencies are also required to ensure that even newly provisioned or previously disconnected domain controller servers have the updates before they are connected to agency networks.
CISA recommends that agencies use their vulnerability scanning tools along with additional means to ensure that the necessary patches have been deployed.
"These requirements apply to Windows Servers with the Active Directory domain controller role in any information system, including an information system used or operated by another entity on behalf of an agency, that collects, processes, stores, transmits, disseminates, or otherwise maintains agency information," CISA says.