Disrupt attackers: Mitigate Microsoft Group Policy Preferences (GPP) vulnerability

Below is a resilience recommendation our customers have implemented recently to start you off on the path towards security improvement.


Risk:
If your organization is using Group Policy preferences to perform actions using stored credentials, you may be susceptible to credential theft in the event any machine in the domain becomes compromised. This can significantly reduce the time it takes for attackers to achieve their goals.

Details:
In an Active Directory environment, Group Policy preferences provide an automated way to use explicit credentials for things like scheduling tasks, updating services, printer configurations or changing local user passwords on domain assets. When a GPP is created, a corresponding XML file is generated with configuration data (including any provided credentials) on the domain-wide share, SYSVOL. Passwords in the configuration files are encrypted, but the private key is well-known and documented, which makes them no different than plain-text credentials for malicious actors. That means these credentials can be accessed by any domain user or user in a trusted domain that can access SYSVOL to quickly escalate privileges.

Impact:
HIGH

Mitigate:

  1. Install Microsoft patch, KB2962486, on all machines that manage Group Policy Objects (GPOs). This will prevent new credentials from being placed in Group Policy Preferences (but not remove existing ones)!

  2. Delete any existing GPP XML files containing passwords in the domain-wide share, SYSVOL.

To learn more about Group Policy Preferences vulnerabilities, check out: https://adsecurity.org/?p=2288

See another example here.


What is resilience?

Resilience is our way of making you better even when there aren’t any security incidents.

At its core, resilience is comprised of recommendations that describe:

  • A specific security risk

  • The potential impact, and

  • The steps to mitigate it

Resilience recommendations do one of two things – disrupt attackers or enable defenders. Recommendations that disrupt attackers prevent threats from successfully performing their intended goal, while recommendations that enable defenders allow your team (including us) to respond more effectively when they do.

Resilience recommendations cover a broad spectrum of security content from Windows settings that reduce the exposure of plain text credentials in-memory to specific configurations for getting the most out of your firewall or endpoint detection and response (EDR) solution.

Learn how to disrupt attackers and enable defenders using resilience on the exe blog.

 

Gartner, Market Guide for Managed Detection and Response Services, Toby Bussa, Kelly M. Kavanagh, Sid Deshpande, Craig Lawson, Pete Shoard, 15 July 2019

GARTNER is a registered trademark and service mark of Gartner, Inc. and/or its affiliates in the U.S. and internationally, and is used herein with permission. All rights reserved.

Gartner Disclaimer
Gartner does not endorse any vendor, product or service depicted in its research publications, and does not advise technology users to select only those vendors with the highest ratings or other designation. Gartner research publications consist of the opinions of Gartner's research organization and should not be construed as statements of fact. Gartner disclaims all warranties, expressed or implied, with respect to this research, including any warranties of merchantability or fitness for a particular purpose.

Gartner, Ask These Critical Questions and Consider These Risks When Selecting an MDR Provider, Toby Bussa, Kelly Kavanagh, Craig Lawson, Pete Shoard, 31 October 2019
GARTNER is a registered trademark and service mark of Gartner, Inc. and/or its affiliates in the U.S. and internationally, and is used herein with permission. All rights reserved.
Gartner Disclaimer
Gartner does not endorse any vendor, product or service depicted in its research publications, and does not advise technology users to select only those vendors with the highest ratings or other designation. Gartner research publications consist of the opinions of Gartner's research organization and should not be construed as statements of fact. Gartner disclaims all warranties, expressed or implied, with respect to this research, including any warranties of merchantability or fitness for a particular purpose.

Lorem ipsum dolor sit amet

Ut Enim Minima

Sed ut perspiciatis unde omnis iste natus error sit voluptatem!

Quis Autem Vel

Nemo enim ipsam voluptatem quia voluptas sit odit aut fugit!

Quo Voluptas

Ut enim ad minima veniam, quis nostrum exercitationem ullam!

Ut Enim Minima

Neque porro quisquam est, qui dolorem ipsum quia dolor sit amet, consectetur, adipisci velit, sed quia non numquam eius modi tempora incidunt ut labore et dolore magnam aliquam quaerat voluptatem.

Quis Autem Vel

Ut enim ad minima veniam, quis nostrum exercitationem ullam corporis suscipit laboriosam, nisi ut aliquid ex ea commodi consequatur? Quis autem vel eum iure reprehenderit qui in ea voluptate velit

Quo Voluptas

Neque porro quisquam est, qui dolorem ipsum quia dolor sit amet, consectetur, adipisci velit, sed quia non numquam eius modi tempora incidunt ut labore et dolore magnam aliquam quaerat voluptatem.

Consectetur adipiscing elit...

Joanna C.

"Et harum quidem rerum facilis est et expedita distinctio!"

Stanley T.

"Nam libero tempore, cum soluta nobis est eligendi."

Danielle W.

"Temporibus autem quibusdam et aut officiis debitis!"