Below is a resilience recommendation our customers have implemented recently to start you off on the path towards security improvement. Risk: Details: Impact: Install Microsoft patch, KB2962486, on all machines that manage Group Policy Objects (GPOs). This will prevent new credentials from being placed in Group Policy Preferences (but not remove existing ones)! Delete any existing GPP XML files containing passwords in the domain-wide share, SYSVOL. To learn more about Group Policy Preferences vulnerabilities, check out: https://adsecurity.org/?p=2288 See another example here. Resilience is our way of making you better even when there aren’t any security incidents. At its core, resilience is comprised of recommendations that describe: A specific security risk The potential impact, and The steps to mitigate it Resilience recommendations do one of two things – disrupt attackers or enable defenders. Recommendations that disrupt attackers prevent threats from successfully performing their intended goal, while recommendations that enable defenders allow your team (including us) to respond more effectively when they do. Resilience recommendations cover a broad spectrum of security content from Windows settings that reduce the exposure of plain text credentials in-memory to specific configurations for getting the most out of your firewall or endpoint detection and response (EDR) solution. Learn how to disrupt attackers and enable defenders using resilience on the exe blog.
If your organization is using Group Policy preferences to perform actions using stored credentials, you may be susceptible to credential theft in the event any machine in the domain becomes compromised. This can significantly reduce the time it takes for attackers to achieve their goals.
In an Active Directory environment, Group Policy preferences provide an automated way to use explicit credentials for things like scheduling tasks, updating services, printer configurations or changing local user passwords on domain assets. When a GPP is created, a corresponding XML file is generated with configuration data (including any provided credentials) on the domain-wide share, SYSVOL. Passwords in the configuration files are encrypted, but the private key is well-known and documented, which makes them no different than plain-text credentials for malicious actors. That means these credentials can be accessed by any domain user or user in a trusted domain that can access SYSVOL to quickly escalate privileges.
HIGH
Mitigate:
What is resilience?
Sed ut perspiciatis unde omnis iste natus error sit voluptatem!
Nemo enim ipsam voluptatem quia voluptas sit odit aut fugit!
Ut enim ad minima veniam, quis nostrum exercitationem ullam!
Neque porro quisquam est, qui dolorem ipsum quia dolor sit amet, consectetur, adipisci velit, sed quia non numquam eius modi tempora incidunt ut labore et dolore magnam aliquam quaerat voluptatem.
Ut enim ad minima veniam, quis nostrum exercitationem ullam corporis suscipit laboriosam, nisi ut aliquid ex ea commodi consequatur? Quis autem vel eum iure reprehenderit qui in ea voluptate velit
Neque porro quisquam est, qui dolorem ipsum quia dolor sit amet, consectetur, adipisci velit, sed quia non numquam eius modi tempora incidunt ut labore et dolore magnam aliquam quaerat voluptatem.
"Et harum quidem rerum facilis est et expedita distinctio!"
"Nam libero tempore, cum soluta nobis est eligendi."
"Temporibus autem quibusdam et aut officiis debitis!"