An update released with this month’s Patch Tuesday updated the behavior of Group Policy Preferences. The change is a security fix in nature but mostly keeps people from setting themselves up for failure.
The problem that the update addresses comes from different Group Policy Preferences that allow you to store credentials. GPPs could be used to create or modify local user accounts, map network drives, or other settings that could be run as a specific user account.
If an attacker is able to get access to the SYSVOL share (which is open to all authenticated users, so a malicious or spear phished employee will have access to it) and obtain the AES encryption key used to encrypt/decrypt passwords set with GPP (which we document on MSDN), the attacker will be able to obtain the credentials set with GPP.
Basically, one compromised domain user could result in all of those account credentials used in Group Policy Preferences to be easily obtained. Unfortunately, some organizations might use the domain admin credentials in a GPP, resulting in the whole organization being compromised. Even worse, it’s a fairly simple and common attack.
Microsoft has observed that Group Policy Preferences abuse is one of the most common tactics used by attackers to elevate permissions in a domain. Multiple toolkits used by attackers such as Metasploit and PowerSploit provide easy to use methods for retrieving and decrypting GPP passwords.
As a result, Microsoft released an update to address this. Any existing GPOs with account credentials will not be able to be modified and new GPOs with account credentials will not be able to be created. The GPOs are not being automatically disabled as that could seriously affect an organization’s operation.
Along with the update, Microsoft has provided two PowerShell scripts. One is an alternative to set local administrator passwords on remote systems. The second script can be run on a domain controller to detect GPOs that are using account credentials in Group Policy Preferences.
To read more about this update and obtain a copy of those scripts, see these pages for more details: