This security setting determines whether the domain controller bypasses secure RPC for Netlogon secure channel connections for specified machine accounts. When deployed, this policy should be applied to all domain controllers in a forest by enabling the policy on the domain controllers OU. When the Create Vulnerable Connections list (allow list) is configured: - Given allow permission, the domain controller will allow accounts to use a Netlogon secure channel without secure RPC. - Given deny permission, the domain controller will require accounts to use a Netlogon secure channel with secure RPC which is the same as the default (not necessary). Fix: (1) GPO: Computer ConfigurationPoliciesWindows SettingsSecurity SettingsLocal PoliciesSecurity OptionsDomain controller: Allow vulnerable Netlogon secure channel connections (2) REG: HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServicesNetlogonParameters:VulnerableChannelAllowList

[Security Descriptor]

(1) GPO: Computer Configuration\Policies\Windows Settings\Security Settings\Local Policies\Security Options\Domain controller: Allow vulnerable Netlogon secure channel connections (2) REG: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Netlogon\Parameters!VulnerableChannelAllowList