Group Policy Preferences Could Allow for Elevation of Privilege
If you are using GPO Preferences to distribute passwords across your domain, you could be allowing a hacker to be able to retrieve those passwords. Passwords are stored as part of the GPO and can be retrieved and decrypted by an attacker. These passwords are stored in the GPO as the CPassword attribute.
For instructor-led Windows Server 2012 Training, see our class schedule.
The following Group Policy Preferences allowed an administrator to distribute passwords:
- Map Drives
- Local Users and Groups
- Scheduled Tasks
- Services and
- Data Sources
This vulnerability is fully explained in Microsoft Security Bulleting MS14-025. The link to the article is Vulnerability in Group Policy Preferences Could Allow Elevation of Privilege (2962486). To prevent an administrator from inadvertently setting a password with GPO Preferences apply the updates linked in the article.
Once the updates are applied when an administrator opens one of the preferences mentioned above the following dialog box will appear.
If an administrator clicks into the User Account field or Password field in the preference the following dialog box will appear.
For more information on CPasswords check out the following article, MS14-025: Vulnerability in Group Policy Preferences could allow elevation of privilege.
If administrators have been deploying passwords with GPO Preferences there is a PowerShell Script included in the above article to help locate those GPOs.
User names and passwords can still be configured using PowerShell scripts when this situation is required.
Until next time, RIDE SAFE!
Rick Trader
Windows Server Instructor – Interface Technical Training
Phoenix, AZ
A Simple Introduction to Cisco CML2
Mark Jacob, Cisco Instructor, presents an introduction to Cisco Modeling Labs 2.0 or CML2.0, an upgrade to Cisco’s VIRL Personal Edition. Mark demonstrates Terminal Emulator access to console, as well as console access from within the CML2.0 product. Hello, I’m Mark Jacob, a Cisco Instructor and Network Instructor at Interface Technical Training. I’ve been using … Continue reading A Simple Introduction to Cisco CML2
Government Edition – Encrypting a USB Flash Drive in Windows 10
In this video, Security Instructor Mike Danseglio demonstrates how to use BitLocker in Window 10 to secure files on a USB Flash drive that adhere to stricter data protection requirements as found inside Government entities. BitLocker 2-day instructor-led training is now available at Interface: BITLOCK: Planning and Deploying BitLocker Drive Encryption Training Video Transcription: Hi. … Continue reading Government Edition – Encrypting a USB Flash Drive in Windows 10
Configuring Windows Mobility Center and How to Turn it On and Off
Video transcription Steve Fullmer: In our Windows training courses, we often share information about the Windows 8.1 Mobility Center. Mobility Center was introduced for mobile and laptop devices in Windows 7. It’s present and somewhat enhanced in Windows 8. Since we don’t have mobile devices in our classrooms, I decided to take a little bit … Continue reading Configuring Windows Mobility Center and How to Turn it On and Off
Write a Comment
