{"id":384,"date":"2013-07-03T16:00:39","date_gmt":"2013-07-03T20:00:39","guid":{"rendered":"http:\/\/adsecurity.org\/?p=384"},"modified":"2016-01-02T18:11:40","modified_gmt":"2016-01-02T23:11:40","slug":"using-group-policy-preferences-for-password-management-bad-idea","status":"publish","type":"post","link":"https:\/\/adsecurity.org\/?p=384","title":{"rendered":"Using Group Policy Preferences for Password Management = Bad Idea"},"content":{"rendered":"

Using Group Policy Preferences for Password Management = Bad Idea OR \u201cHow to Get Your Network Owned in Several Simple Steps\u201d<\/strong><\/h4>\n

One of my customers recently needed to change the local administrator password on several hundred Windows 7 workstations and was trying to determine the best method: PowerShell script or Group Policy Preferences.<\/p>\n

The easy answer is to use Group Policy Preferences since it has a built-in mechanism for changing\/managing local computer passwords. The problem is that while the password in Group Policy Preferences is encrypted using AES 256, the private key for the encryption is posted on MSDN<\/a>. This means that Group Policy Preferences is vulnerable to password exposure.<\/p>\n

Since the private key for this data is well known, using Group Policy Preferences to manage local computer passwords means these passwords are vulnerable to discovery. Since the Group Policy Preference data is stored in an XML file in SYSVOL (such as drives.xml, groups.xml, printers.xml, etc), all authenticated users in the domain has read access (they have to in order to apply Group Policy). This means that any authenticated user can open the Group Policy Preference XML file with the encrypted password and decrypt it using the AES key posted on MSDN<\/a>. This AES key is part of every Windows computer that is Group Policy Preferences capable (native support in Windows 7 and newer; Windows Vista with an install; and Windows XP SP 2 & Windows 2003 SP1 with a patch, KB943729<\/a>) in order for the computers to decrypt the password and use it. If the Group Policy Preference requires a password to be entered, it is stored in an XML file in SYSVOL. Despite the fact that the password is AES 256-bit encrypted (and base 64 encoded with padding if necessary<\/a>), it is not secure<\/strong>. Microsoft does not recommend storing passwords in Group Policy Preferences (blog post linked below) and Windows Server 2012 displays a message with a similar warning.<\/p>\n

Windows Server 2012 Group Policy Preference password Warning:<\/p>\n

\"Windows2012-GPP-password-warning\"<\/a><\/p>\n

 <\/p>\n

 <\/p>\n

 <\/p>\n

 <\/p>\n

 <\/p>\n

More information on how Group Policy Preferences are attacked is in the post “Finding Passwords in SYSVOL & Exploiting Group Policy Preferences<\/a>“.<\/i><\/p>\n

Here\u2019s a sample groups.xml file from SYSVOL representing a Group Policy using Group Policy Preferences to add a new user to computers in the linked OU.<\/p>\n

<?xml version=\u201d1.0\u2033 encoding=\u201dutf-8\u2033?>
\n<Groups clsid=\u201d{3125E937-EB16-4b4c-9934-544FC6D24D26}\u201d>
\n<User clsid=\u201d{DF5F1855-51E5-4d24-8B1A-D9BDE98BA1D1}\u201d name=\u201dLocalTestUser\u201d image=\u201d0\u2033 changed=\u201d2013-07-04 00:07:13\u2033 uid=\u201d{47F24835-4B58-4C48-A749-5747EAC84669}\u201d>
\n<Properties action=\u201dC\u201d fullName=\u201d\u201d description=\u201d\u201d cpassword=\u201dsFWOJZOU7bJICaqvmd+KAEN0o4RcpxxMLWnK7s7zgNR+JiJwoSa+DLU3kAIdXc1WW5NKrIjIe9MIdBuJHvqFgbcNS873bDK2nbQBqpydkjbsPXV0HRPpQ96phie6N9tn4NF3KYyswokkDnj8gvuyZBXqoG94ML8M1Iq7\/jhe37eHJiZGyi5IBoPuCfKpurj2\u2033<\/strong> changeLogon=\u201d0\u2033 noChange=\u201d0\u2033 neverExpires=\u201d0\u2033 acctDisabled=\u201d0\u2033 userName=\u201dLocalTestUser\u201d\/>
\n<\/User>
\n<\/Groups><\/p>\n

cpassword<\/strong> above represents the encrypted password and I was able to browse to and save this file from SYSVOL with a regular domain user account. All that is left to do is to perform a Base64 unencode, then decrypt using the MSDN AES key.<\/p>\n

Here\u2019s the 32-byte AES key used to encrypt ALL Group Policy Preferences passwords in any domain:<\/p>\n

\n
4e 99 06 e8  fc b6 6c c9  fa f4 93 10  62 0f fe e8\r\nf4 96 e8 06  cc 05 79 90  20 9b 09 a4  33 b6 6c 1b<\/pre>\n<\/blockquote>\n
The problem is that since the AES encryption (and decryption) key is known (and posted publicly on MSDN <\/a>and here), Group Policy Preferences can\u2019t be considered a secure method for changing passwords.<\/strong><\/p>\n
The Microsoft Group Policy Blog<\/a> posted about the potential issues in 2009<\/a>:<\/p>\n
Are passwords in preference items secure?<\/strong>
\n<\/b>A password in a preference item is stored in SYSVOL in the GPO containing that preference item. To obscure the password from casual users, it is not stored as clear text in the XML source code of the preference item. However, the password is not secured. Because the password is stored in SYSVOL, all authenticated users have read access to it. Additionally, it can be read by the client in transit if the user has the necessary permissions.<\/p>\n
Because passwords in preference items are not secured, we recommend that you carefully consider the security ramifications when deciding whether to store passwords in preference items. If you choose to use this feature, we recommend that you consider creating dedicated accounts for use with it and that you do not store administrative passwords in preference items.<\/p>\n
Where can you use passwords?<\/strong>
\n<\/b>You can use passwords in the following types of preference items:<\/p>\n