Group Policy Preferences Security Hazards

Domain machines periodically reach out and authenticate to the Domain Controller utilizing the Domain credentials of the logged-in user (these can be, and often are, unprivileged accounts) and pull down policies.  These policies can make all sorts of configuration changes to machines, to include:

  • Start Menu Items
  • Network Drive Mapping
  • Registry Settings
  • Printer Configuration

SYSVOL

SYSVOL is a domain-wide file-share in Active Directory to which all authenticated users have access .

SYSVOL contains logon scripts and other domain-wide data which needs to be available anywhere there is a DC.  SYSVOL is automatically synchronized in order to share across DCs.

All domain Group Policies are stored here: \\<DOMAIN>\SYSVOL\<DOMAIN>\Policies\

Credential Storage in SYSVOL – Then and Now

Old Storage Method (Prior to windows 2007) – If local admin passwords are also assigned through group policies, then the local admin password is stored in plain-text, typically in a .vbs custom script that is used to change local administrator passwords.  This custom script is most often also stored in SYSVOL. Every domain user has read access to SYSVOL – and hence to this vbs script containing a password in plain text.

New Storage Method – When a new GPP is created, an associated XML file is also created in SYSVOL for all the relevant configuration data. Even if a password is provided in the file, it should be AES-256 bit encrypted which is strong enough.

What went wrong?

At some point prior to 2012, Microsoft published the AES private key on MSDN which can be used to decrypt the password. Since authenticated users (any domain user or users in a trusted domain) have read access to SYSVOL, anyone in the domain can search the SYSVOL share for XML files containing “cpassword” which is the value that contains the AES encrypted password.

The Workaround to keeping the passwords protected – The GPP Credential Patch (KB2962486)

In order to protect against read-only access to pwds in GPP, Microsoft released a patch for all systems that administer Group Policy using the Remote Server Administration Tools (RSAT). This patch allows admins to control password policies without putting password data into a GPP.

  • Install KB2962486 on every computer used to manage GPP.
  • This should disallow any new credentials being placed in Group Policy Preferences.
  • Delete all existing GPP xml files in SYSVOL that may contain passwords.

Summary

GPP has, in the past, allowed hackers to get local admin passwords on domain joined boxes.  With a new patch, one doesn’t need to maintain local admin passwords in the GPP.  This avoids any hacking attempts into SYSVOL.

Specializing in high volume web and cloud application architecture, Anuj Varma’s customer base includes Fortune 100 companies (dell.com, British Petroleum, Schlumberger).
Anuj also offers a 1-day ‘technology crash course’ focused on cloud technologies for executives.
For Anuj’s specialized one-on-one executive seminars, visit ExecutiveTechnologySeminars
All content on this site is original and owned by anujvarma.com.

Anuj Varma – who has written posts on Anuj Varma, Technology Architect.


Leave a Reply

Your email address will not be published. Required fields are marked *