Windows 8.1 and Windows Server 2012 R2 Administrative Templates (ADMX)

Microsoft has just released the Administrative Templates (ADMX/ADML) files that allow you to configure their newest Group Policy Administrative Template setting for Windows 8.1 and Windows Server 2012 R2 on down level Operating Systems. To be clear this just enables you to edit the Group Policy objects on a down level computer, not make them apply.

To install both of these administrative template simply install them on the computer that you are editing the GPO’s. Then the GPO’s you edit from the computer will be automatically upgrade next time you open the via GP Editor.

This might seem fairly handy if you manage you group policy object from a Windows 7 computer. However, as always it is still “BEST PRACTICE” (yes i said the “B” word) to edit Group Policy Objects from the most recent OS in your environment.

Note: Also remember that the Internet Explore 11 administrator templates were also recently made available.

Internet Explorer 11 ADMX http://www.microsoft.com/en-us/download/details.aspx?id=40905

Windows 8.1 ADMX http://www.microsoft.com/en-US/download/details.aspx?id=41193

Why Passwords in Group Policy Preference are VERY BAD

image

A long time ago did a blog post explaining how to use the Group Policy Preferences Local Users setting to manager the password of the local accounts. This post explained how to do it  in a way that minimised the exposure of the password in Active Directory (see  How to use Group Policy Preferences to change account Passwords ) for anyone that knew what they were doing.

At least as far back as 2009 (and certainly earlier) it was well known that the password was only weakly encrypted and as such could be easily reverse engineer to recover the password. However, for a long time this was much better than the alternative as a lot of administrators would often revert to using scripts that had the password stored as clear text.

Update: Microsoft has now released MS14-025 which explicitly blocks the configuration of passwords in Group Policy Preferences. See more about this at Group Policy Preferences Password Behaviour Change – MS14-025

Microsoft has also gone to extensive lengths over the years to warn users about risks of using password in Group Policy preferences:

1. Via blog posts at Passwords in Group Policy Preferences (updated)

A password in a preference item is stored in SYSVOL in the GPO containing that preference item. To obscure the password from casual users, it is not stored as clear text in the XML source code of the preference item. However, the password is not secured. Because the password is stored in SYSVOL, all authenticated users have read access to it. Additionally, it can be read by the client in transit if the user has the necessary permissions.

2. When you look up the Local Users Group Policy Preferences warning it says this…

image

3. And when you actually configure the password you are warned again before setting the password.

image

So how weakly encrypted is the cpassword?

The CPASSWORD is the filed that is used in the Group Policy Preferences XML configuration file that contains the password. Being an XML file this makes it very easy if find the field by simply looking a the contents of the XML files stored in you SYSVOL.

image

AND….

Microsoft documents the password that us used to encrypt/decrypt using AES 32-byte encryption (VERY WEAK).  If you would like to see the password for yourself it can be found in the official technical specification at  http://msdn.microsoft.com/en-us/library/cc232587.aspx or… in the modified screenshot provided below (yes that is the ACTUAL key used to encrypt password in Group Policy).

image

Now you might be thinking that it is absurd that Microsoft are publishing the key used to encrypt the password however due to the DOJ settlement with Microsoft back in 2001 Microsoft are required to document its application programming interfaces with third-party companies. This means that the Microsoft are compelled to document this information…

And now for the REALLY BAD NEWS….

Since June 11th 2012 there has been a  Group Policy Preferences Password module added to MetaSploit that allows you to scan you to discover all the uses of passwords saved in your Active Directory (see description below).

This module enumerates the victim machine’s domain controller and connects to it via SMB. It then looks for Group Policy Preference XML files containing local user accounts and passwords and decrypts them using Microsofts public AES key. Tested on WinXP SP3 Client and Win2k8 R2 DC.

Reference: https://www.rapid7.com/db/modules/post/windows/gather/credentials/gpp

So what does this really mean?

Any users that has the MetaSpoit tool installed on their computer and has an account on your domain can scan your Active Directory and decrypt the stored value of password in a Group Policy Preference . Of course once they have the password of the account they can probably use that account which quite often has elevated privileges…

What Group Policy Preferences are affected ?

While in this post I have focused on the Local Users account password option this is not the only location that you can save a password. In fact there are five separate location in Group Policy Preferences that a save password option can be found.

  • Local User preference items

image

  • Data Source preference items

image

  • Mapped Drive preference items

image

  • Scheduled Task or Immediate Task preference items

image

  • Service preference items

image

Update: How do I know here I have this password configured?

Darren Mar-Elia at SDMSoftware has now written a PowerShell script that allows you to identify all the location in your domain that the Group Policy Preference password exists. Check it out at http://sdmsoftware.com/group-policy-blog/tips-tricks/getting-rid-of-passwords-in-group-policy-preferences/

Should I blame Microsoft for this security issue?

In my opinion, No. This security risk as been in Group Policy Preferences ever since Microsoft bought PolicyMaker. They have also documented a number of time (see above) the risks associated with using this option. Security is also an ever changing field and at the time even weakly encrypted password was better than what most IT administrators otherwise did to do the same task.

So what do I do?

Firstly… Stop configuring any new password in Group Policy Preferences.

Then to find any XML files stored in your SYSVOL (yes there will be a LOT). Open the XML files and then find any that have a configured CPASSWORD value and remove them using either using the Group Policy Preferences UI or by just delete the value our of the XML manually. Once this is done the password value is set to null thus removing the value from Active Directory and mitigating the risk.

image

As they are Group Policy Preferences the value will persist on the computers/accounts that are already configured. However any new computers will not get the new value configured so keep this in mind as it will probably affect any computer build process you already have in place that uses this setting.

And yes… this means you will need to implement an alternative way to manage password on your computers in your organisation.

Certainly all this news a PITA, however it is something as a Group Policy administrator you must be aware of and actively stop in your organisation…

Additional References: Group Policy Preferences Password Behaviour Change – MS14-025NICE

Internet Explorer 11 Group Policy Preferences

ieLogo_h_Web

With the release of Internet Explorer 11 from Microsoft for Windows 7 I have seen a number of question asking where are the Group Policy Preferences are for this new version of the browser? The good news is that the current Internet Explorer 10 Group Policy Preferences officially supported see http://support.microsoft.com/kb/2898604 .

This works as the default version checking goes from 10 to 99, meaning that it will happily apply the IE 10 settings to IE11.

image

Note: This does not mean that the IE 10 Group Policy Preferences have any of the new options in IE 11.

The really good news is that this has always been the default behaviour of the IE 10 Group Policy Preferences in Windows Server 2012 meaning that if you already have IE 10 Group Policy Preferences configured you don’t have to do anything to make them work for IE 11.

There is of course many ways to configured Internet Explorer and if you want to configured some of the new setting you can download the new IE 11 administrator templates to update your existing Group Policy Object or Central Store (see Internet Explorer 11 Administrator Templates ). But this is only required if you want to configure any of the 54 new Group Policy setting in the administrative templates.

Tip: You can get a full list of these IE setting from the Group Policy Settings Spread Sheet.

It’s also worth remembering that since Internet Explorer 10 the Internet Explorer Maintenance has  been removed from Group Policy. If you have the option setting configured in a policy it will still apply but the UI to edit these policy settings is now removed on any computer with Internet Explorer 10 or greater installed. The good news is that you can replace this functionality with combination of Administrative Templates, Group Policy Preferences and Group Policy Preferences Registry Keys. While this sounds a little klunky I still definitely recommend stop using IE Maintenance as its days are well and truly over.  I show you how to duplicate the setting from IE Maintenance to the newer ways in my TechEd New Zealand 2013 session The Browser You Love to Hate.

TIP: Once you are done with the Internet Explorer Maintenance be sure to clean up the old setting by doing a  “Rest Browser Settings” see How to remove imported Internet Explorer Group Policy Settings

For additional info see:

http://sdmsoftware.com/group-policy-blog/group-policy-preferences/gp-preferences-for-internet-explorer-11/

Internet Explorer 11 Administrator Templates

ieLogo_h_WebMicrosoft released Internet Explorer 11 for Windows 7 today and as part of this release they have also made the ADM files available for download. This enables Group Policy administrators to manage IE11 using administrator templates without having to install Windows 8.1.

In fact if you load these templates you can still modify the IE 11 Group Policy settings from Windows XP/2003 computer. However I would not recommend doing this…

Even if you have not deployed Internet Explorer 11 yet in your organisation you can still load these ADM templates in your existing  GPO without affecting any of your existing settings.

But if you want Group Policy Preferences support then definitely checkout my In this session where I also explain how you the Internet Explorer 10 group policy preferences support IE 99 (err… 11) at  TechEd: (Internet Explorer 11) The Browser You Love To Hate.

Download Link  http://www.microsoft.com/en-us/download/details.aspx?id=40905

Out Now: Group Policy Settings spread sheet for Windows 8.1, Windows Server 2012 R2 and Internet Explorer 11

excel2013

Update: It’s been pointed out that column D does represent if it is a new policy setting which has revealed many more settings.

The complete reference guild to all the new Windows 8 group policy setting has now been published. A quick search through this spread sheet show there are 216 new administrative settings (27 161 Unique) specific to Windows 8.1, Windows Server 2012 R2.

For your references below is a list of all the new Group Policy Administrator Template settings. (There does not appear to be any new security settings).

Allow development of Windows Store apps without installing a developer license 
Prevent enabling lock screen slide show
Prevent enabling lock screen camera
Force a specific background and accent color
Force a specific Start background
Force a specific default lock screen image
Allow users to select when a password is required when resuming from connected standby
Restrict delegation of credentials to remote servers
Prevent adding
App switching
Charms
WinX
Automatically send memory dumps for OS-generated error reports
Configure Group Policy Caching
Configure Logon Script Delay
Turn off loading websites and content in the background to optimize performance
Turn on the swiping motion on Internet Explorer for the desktop
Turn on 64-bit tab processes when running in Enhanced Protected Mode on 64-bit versions of Windows
Allow Internet Explorer to use the SPDY/3 network protocol
Turn off phone number detection
Allow Microsoft services to provide enhanced suggestions as the user types in the Address bar
Prevent deleting ActiveX Filtering
Allow cut
Don’t run antimalware programs against ActiveX controls
KDC support for claims
Kerberos client support for claims
Automatic Maintenance Random Delay
Use DNS name resolution when a single-label domain name is used
At logoff
Run Windows PowerShell scripts first at computer startup
Run Windows PowerShell scripts first at user logon
Disable indexing of removable drives
Don’t search the web or display web results in Search
Don’t search the web or display web results in Search over metered connections
Set what information is shared in Search
Set the SafeSearch setting for Search
Do not sync Apps
Do not sync start settings
Pin Apps to Start when installed
Start Screen Layout
Remove and prevent access to the Shut Down
Default
Default app
Default search
Sort
Multimon
For tablet pen input
For touch input
Include rarely used Chinese
Set remote control session UAC desktop
Set remote control permission request timeout
Use advanced RemoteFX graphics for RemoteApp
Enable Remote Desktop Protocol 8.0
User management of sharing user name
Choose drive encryption method and cipher strength (Windows Vista
Configure TPM platform validation profile (Windows Vista
Allow antimalware service to startup with normal priority
Turn on virus definitions
Configure local administrator merge behavior for lists
Define addresses to bypass proxy server
Define proxy server for connecting to the network
Randomize scheduled task times
Allow antimalware service to remain running always
Extension Exclusions
Path Exclusions
Process Exclusions
Turn on protocol recognition
Turn on definition retirement
Define the rate of detection events for logging
IP address range Exclusions
Port number  Exclusions
Process Exclusions for outbound traffic
Threat ID Exclusions
Specify additional definition sets for network traffic inspection
Configure local setting override for the removal of items from Quarantine folder
Configure removal of items from Quarantine folder
Turn on behavior monitoring
Turn on Information Protection Control
Turn on network protection against exploits of known vulnerabilities
Scan all downloaded files and attachments
Monitor file and program activity on your computer
Turn on raw volume write notifications
Turn on process scanning whenever real-time protection is enabled
Define the maximum size of downloaded files and attachments to be scanned
Configure local setting override for turn on behavior monitoring
Configure local setting override for monitoring file and program activity on your computer
Configure local setting override to turn off Intrusion Prevention System
Configure local setting override for scanning all downloaded files and attachments
Configure local setting override to turn on real-time protection
Configure local setting override for monitoring for incoming and outgoing file activity
Configure monitoring for incoming and outgoing file and program activity
Configure local setting override for the time of day to run a scheduled full scan to complete remediation
Specify the day of the week to run a scheduled full scan to complete remediation
Specify the time of day to run a scheduled full scan to complete remediation
Configure time out for detections requiring additional action
Configure time out for detections in critically failed state
Configure Watson events
Configure time out for detections in non-critical failed state
Configure time out for detections in recently remediated state
Configure Windows software trace preprocessor components
Configure WPP tracing level
Allow users to pause scan
Specify the maximum depth to scan archive files
Specify the maximum size of archive files to be scanned
Specify the maximum percentage of CPU utilization during a scan
Scan archive files
Turn on catch-up full scan
Turn on catch-up quick scan
Turn on e-mail scanning
Turn on heuristics
Scan packed executables
Scan removable drives
Turn on reparse point scanning
Create a system restore point
Run full scan on mapped network drives
Scan network files
Configure local setting override for maximum percentage of CPU utilization
Configure local setting override for the scan type to use for a scheduled scan
Configure local setting override for schedule scan day
Configure local setting override for scheduled quick scan time
Configure local setting override for scheduled scan time
Turn on removal of items from scan history folder
Specify the interval to run quick scans per day
Start the scheduled scan only when computer is on but not in use
Specify the scan type to use for a scheduled scan
Specify the day of the week to run a scheduled scan
Specify the time for a daily quick scan
Specify the time of day to run a scheduled scan
Define the number of days before spyware definitions are considered out of date
Define the number of days before virus definitions are considered out of date
Define file shares for downloading definition updates
Turn on scan after signature update
Allow definition updates when running on battery power
Initiate definition update on startup
Define the order of sources for downloading definition updates
Allow definition updates from Microsoft Update
Allow real-time definition updates based on reports to Microsoft MAPS
Specify the day of the week to check for definition updates
Specify the time to check for definition updates
Allow notifications to disable definitions based reports to Microsoft MAPS
Define the number of days after which a catch-up definition update is required
Specify the interval to check for definition updates
Check for the latest virus and spyware definitions on startup
Configure local setting override for reporting to Microsoft MAPS
Specify threats upon which default action should not be taken when detected
Specify threat alert levels at which default action should not be taken when detected
Display notifications to clients when they need to perform actions
Display additional text to clients when they need to perform an action
Always automatically restart at the scheduled time
Specify Work Folders settings
Turn off tile notifications
Turn off toast notifications
Turn off toast notifications on the lock screen
Turn off notifications network usage
Turn off Quiet Hours
Set the time Quiet Hours begins each day
Set the time Quiet Hours ends each day
Turn off calls during Quiet Hours
Set 3G Cost
Set 4G Cost

Unfortunately, Microsoft has removed the Reboot Required, Logoff Required Require Schema and Status columns that were introduced in the Windows 8/2012 version. But if you need this information you can still download that version from the same page.

 

Download Link http://www.microsoft.com/en-us/download/details.aspx?id=25250