How Can I Block the Use of Passwords in Group Policy Preferences?
Microsoft tries to dissuade IT administrators from setting and storing passwords in Group Policy Preferences due to security concerns. While useful for mapping network drives and creating local user accounts, those passwords could create a security hole for hackers to drive through.
This Ask the Admin column outlines how to update the Group Policy Management Console (GPMC) to prevent IT administrators from setting passwords in Group Policy Preferences.
Security through Obscurity
CPassword is the mechanism used to store passwords in Group Policy Preferences. It was inherited by Microsoft as part of its purchase of PolicyMaker in 2008. PolicyMaker stored passwords along with the related Group Policy Object (GPO) files in SYSVOL which by design can be viewed by domain users. Its AES 32-byte encryption is quite weak and the encryption key is published by Microsoft in its API documentation, as required by law.
Many organizations use Group Policy Preferences to set passwords for local administrator accounts. This has led to the development and deployment of exploit tools with the ability to detect and decrypt passwords set using CPassword thus making the setting and storage of passwords in Group Policy Preferences a known risk.
Which Group Policy Preferences Are Affected?
All Group Policy Preferences that allow you to set or store passwords are affected. The list of items is as follows:
- Local user and group
- Mapped drives
- Scheduled tasks (Uplevel)
- Scheduled tasks (Downlevel)
- Immediate tasks (Uplevel)
- Immediate tasks (Downlevel)
- Data sources
Prevent IT Administrators from Setting Passwords in Group Policy Preferences
The first step is to make sure that IT staff can no longer set passwords in Group Policy Preferences.
Install the relevant update for your systems as identified in Security Bulletin MS14-025, released on May 13, 2014 at the Microsoft Security TechCenter site. This should include all clients and servers where GPMC is installed including devices on which the Remote Server Administration Tools (RSAT) are present.
Remove Affected Group Policy Preferences
If you have been using passwords in Group Policy Preferences you will need to take the additional step of making sure they are removed from the .XML files stored for each GPO in your Active Directory domain’s SYSVOL folder. To do this, set the action for each preference that has a password to Delete.
- Log on to a domain controller or client with the Remote Server Administration Tools, using an account that has permission to modify GPOs.
- Open Server Manager from the icon on the desktop taskbar or from the Start screen.
- Select Group Policy Management from the Tools menu in Server Manager.
- In the left pane of the GPMC, expand Forest, Domains, your domain and then the Group Policy Objects folder.
- Click the first GPO in the list.
- In the right pane, switch to the Settings tab.
- Check to see if any of the affected Group Policy Preferences listed in this article are configured. If so, right click the GPO in the left pane and select Edit… from the menu.
- In the Group Policy Management Editor, find the Group Policy Preference under Computer or User Configuration and Preferences.
- Click the Group Policy Preference item you want to change in the list on the left.
- In the right pane, right click the item you want to change and select Properties from the menu.
- In the Properties window, set Action to Delete in the drop-down menu and click OK.
Remove passwords from Group Policy Preferences
- Now right click the item again in the right pane and select All Tasks > Display Xml.
- The XML configuration file will open in Notepad. Make sure that there is no cpassword entry and then close notepad.
Repeat the above procedure for all Group Policy Preference items identified as containing passwords.