In today’s technological landscape, Active Directory (AD) is a constant attack point for attackers. There are multiple reasons for this, including ease of misconfiguration and the fact that Active Directory contains all users, computers, and their permissions. A common vector of attack against Active Directory is via group policy. Group policy can be used as a very effective direct or indirect method of executing remote code, modifying security settings, changing user permissions, and much more. Before we dig into some of the common group policy attack pathways, we first need to address what group policy is.
What is group policy?
Group Policy is a large and complex framework that has been around since the introduction of Active Directory with Windows Server 2000. It is Microsoft’s implementation for centrally managing the configuration of users and computers in an Active Directory Environment. That being said, there is also a group policy management console for configuring local group policy within a singular computer as well. Active Directory administrators heavily rely on group policy for all kinds of tasks, but the underlying mechanisms that allow those tasks to be possible tend to remain a bit in the dark. So this begs the question, “how does group policy work?”.
Group policy consists of three main parts:
- Group Policy Objects (GPO)– These objects are located in the Group Policy Management Console and are used by administrators to create, modify, and link group policy to specific Organizational Units (OU).
- Group Policy Templates (GPT)- These are XML files located in SYSVOL, that hold the various options for group policy objects as well as modified group policy objects
- Client-side Extensions (CSE)- Group policy “pull paradigm” where clients reach out to Domain Controllers and pull the GPOs that apply to them. CSEs are Dynamic Link Libraries (DLL) that implement specific local changes based on the applied GPOs.
By default, clients poll for group policy changes every 90 minutes with a randomized offset of 30 minutes. This time frame can be adjusted, but it is a best practice not to make the time frame very short to avoid collisions, as well as domain controller and network resource exhaustion.
Why Attackers Exploit Group Policy
Attackers exploit group policy regularly due to its powerful configuration abilities in an Active Directory environment. Group policy has the ability to move computers and users in and out of security groups, including local administrators. It can run custom scripts at computer startup or the logon/logoff of a user. A common functionality that is targeted by attackers is group policy’s ability to modify security settings including firewall rules, trusted hosts, web proxies, and AV.
In order for attackers to abuse the functionality of group policy, there are five common group policy misconfigurations that are exploited: GPO permissions, GPT permissions, SYSVOL/NETLOGON permissions, OU permissions, and Group Policy Preferences. Let’s take a look at each of these and how they are commonly misconfigured and abused.
- GPO Permissions- Non-administrator users with owner, write, or modify permissions to a GPO have the ability to edit the object. If an attacker is able to compromise one of these accounts, they modify the GPO for malicious intent.
- GPT Permissions- Non-administrator users with owner, write, or modify permissions to a GPT XML file have the ability to edit that file, and thus change what the GPO does. If an attacker is able to compromise one of these accounts, they modify the XML for malicious intent.
- SYSVOL/NETLOGON Permissions- All objects in Active Directory have read-only permissions to SYSVOL and NETLOGON. The two locations typically house scripts used by GPOs such as logon scripts. When a non-administrator has non-standard permissions such as owner, write, or modify, to one of these shares, they have the ability to modify files located there. If an attacker compromises one of these accounts, they could modify a script used by a GPO to execute malicious code.
- OU Permissions- Non-administrators with the ability to create or modify objects in an OU, can create objects that will inherit the GPO’s linked to the OU. If an attacker compromises one of these accounts, they could create objects with the intent of having a specific GPO applied (such as one that modifies local administrators).
- Group Policy Preferences- Group policy preferences can be used to create a username and password on a targeted machine. In the XML file associated with the GPO, the username of the account is in plaintext. The password (referred to as cPassword) is encrypted using AES. The issue is that the AES key used for encrypting passwords is well-known and publicly disclosed on MSDN. This means that an attacker can read the XML file, read the username, then decrypt the password using the disclosed AES key. Using Group Policy Preferences to set credentials is no longer considered a secure method of credential management.
Securing group policy can be a daunting task due to its size and complexity, but there are several things that can be done to make your environment much less vulnerable. Ensure that there are no users with owner, write, or modify permissions to GPOs or GPTs that are not part of an administrator group. Ensure that GPOs are linked to appropriate OU’s and audit the GPOs linked to the domain root and domain controllers OU. Also, the use of Privileged Access Workstations (PAWs) when performing any administrative tasks in AD is highly recommended. Group policy, as well as all of Active Directory, must be monitored constantly and regularly, so Security Assessments and the use of an Active Directory security product can be incredibly useful.
With so many options to modify configurations and security for Active Directory objects, it’s no wonder that group policy is a major target for attackers. New Active Directory attacks are surfacing every month and a lot of them have freely available tools that attackers can leverage. Group policy does not seem to be going anywhere anytime soon, so it’s up to administrators and security professionals to ensure that this framework is well-secured. This means keeping up with best practices and continuously monitoring your environment.