In this blog, we will explore one of the more severe vulnerabilities we see on an internal penetration test: setting the local administrator password via GPO. Group Policy Objects (GPO) are used to push configuration items down to machines in an Active Directory environment. GPOs are really useful tools to make sure that systems are configured the same and hardened appropriately. Vulnerabilities have been discovered with some of the ways IT administrators use GPOs and these issues can provide an attacker with a path to escalate their privileges on your network. Let’s look at one of the ways GPOs can cause issues.
The Danger of Setting Local Administrator Password Via GPO
Setting the local administrator account via GPO essentially allows any user on the network to recover that password. First, because every system and account needs to be able to read the group policies, any authenticated user can request and download these files. This also means that once an attacker successfully gains access to a single valid user account, say through a password spraying attack, they can connect to the SYSVOL share of the domain controller and pull down the group policies.
Once the policies and startup scripts are downloaded, the next thing an attacker will do is to search for the term cpassword. The cpassword is the encrypted version of this password using AES encryption. However, Microsoft published the AES private key which can be used to decrypt this value, giving you the cleartext password.
Once an attacker has this cleartext password, it can be used wherever this group policy is applied (which in many cases is every workstation, at least). As an attacker, this means I can go to the HR department’s computers and look for sensitive information about employees. I can go to the accounting department to look for sensitive files regarding potential acquisitions. And because I have the local administrator account, I can log in with complete control of each machine and view/modify any file. Additionally, I can install tools as an administrator, such as a key logger. If I am a financially motivated attacker, I can use this access to spread ransomware across all networked machines. If my ultimate goal is to gain domain administrator permissions, I will likely use a tool like mimikatz as a next step to dump the contents of memory, which can include cleartext passwords of logged in users. If I use the local administrator account to gain access to IT workstations or severs, I am likely only one step away from domain administrator permissions.
Mitigating the Risk
Simply put, to minimize the risks associated with setting the local administrator password via GPO, don’t do it. Instead use the free local administrator password solution (LAPS) tool Microsoft provides to set the local administrator account. Using this tool, you can set a unique, strong, random local administrator password on every system in your network.