Nitin Pandey
asked on
MS14-025: Fixing the GPP Cpassword vulnerability.
Hi team,
Have inherited an environment and have been advised to work on MS14-025: Fixing the GPP Cpassword vulnerability.
Common way to remediation:
1. In GPMC, open the preference that contains CPassword data.
2. Change the action to Delete or Disable, as applicable to the preference.
3. Click OK to save your changes.
4. Wait for one or two Group Policy refresh cycles to allow changes to propagate to clients.
5. After changes are applied on all clients, delete the preference.
6. Repeat steps 1 through 5 as needed to clean your whole environment. When the detection script returns zero results, you are finished.
My question; if I use https://4sysops.com/archives/change-the-local-administrator-password-on-multiple-computers-with-powershell/#chaging-the-password-on-multiple-computers to reset built in Administrator account password, isn't it fixing the vulnerability?
Thanks.
Have inherited an environment and have been advised to work on MS14-025: Fixing the GPP Cpassword vulnerability.
Common way to remediation:
1. In GPMC, open the preference that contains CPassword data.
2. Change the action to Delete or Disable, as applicable to the preference.
3. Click OK to save your changes.
4. Wait for one or two Group Policy refresh cycles to allow changes to propagate to clients.
5. After changes are applied on all clients, delete the preference.
6. Repeat steps 1 through 5 as needed to clean your whole environment. When the detection script returns zero results, you are finished.
My question; if I use https://4sysops.com/archives/change-the-local-administrator-password-on-multiple-computers-with-powershell/#chaging-the-password-on-multiple-computers to reset built in Administrator account password, isn't it fixing the vulnerability?
Thanks.
ASKER
Thanks yo_bee.
From what I understand, detecting cpassword GPOs is mentioned under Deprecation of CPassword. To detect, run the script which is exampled under Get-SettingsWithCPassword. ps1
Above step will provide us with the GPOs with CPassword hash enabled. Once we know the culprit GPOs, the next step is to implement "Removing CPassword preferences" which is at the bottom of the webpage, asking to do the 6 steps that I've mentioned in my post.
After I ran Get-SettingsWithCPassword. ps1, I know the culprit GPOs. I can see that the password field is greyed out BUT the XML still has CPassword which can be decrypted.
If I use powershell to remotely reset Local Admin password from all the servers, that should make CPassword decryption useless?
From what I understand, detecting cpassword GPOs is mentioned under Deprecation of CPassword. To detect, run the script which is exampled under Get-SettingsWithCPassword.
Above step will provide us with the GPOs with CPassword hash enabled. Once we know the culprit GPOs, the next step is to implement "Removing CPassword preferences" which is at the bottom of the webpage, asking to do the 6 steps that I've mentioned in my post.
After I ran Get-SettingsWithCPassword.
If I use powershell to remotely reset Local Admin password from all the servers, that should make CPassword decryption useless?
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Thanks Sahun. Well, that was a screenshot from Google. Rwmoved it anyhow.
I do not think you need to take the actions you describe.