MS14-025: Fixing the GPP Cpassword vulnerability.

Nitin Pandey
Nitin Pandey used Ask the Experts™
on
Hi team,

Have inherited an environment and have been advised to work on MS14-025: Fixing the GPP Cpassword vulnerability.

Common way to remediation:

1. In GPMC, open the preference that contains CPassword data.
2. Change the action to Delete or Disable, as applicable to the preference.
3. Click OK to save your changes.
4. Wait for one or two Group Policy refresh cycles to allow changes to propagate to clients.
5. After changes are applied on all clients, delete the preference.
6. Repeat steps 1 through 5 as needed to clean your whole environment. When the detection script returns zero results, you are finished.

My question; if I use https://4sysops.com/archives/change-the-local-administrator-password-on-multiple-computers-with-powershell/#chaging-the-password-on-multiple-computers to reset built in Administrator account password, isn't it fixing the vulnerability?

Thanks.
Comment
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®
yo_beeDirector of Information Technology

Commented:
Unless I am mistaken, but https://support.microsoft.com/en-us/help/2962486/ms14-025-vulnerability-in-group-policy-preferences-could-allow-elevati update addresses this. If you are running WSUS or patch management system you can confirm and make sure this is installed on your environment.


I do not think you need to take the actions you describe.
Nitin PandeyInfrastructure Engineer

Author

Commented:
Thanks yo_bee.

From what I understand, detecting cpassword GPOs is mentioned under Deprecation of CPassword. To detect, run the script which is exampled under Get-SettingsWithCPassword.ps1

Above step will provide us with the GPOs with CPassword hash enabled. Once we know the culprit GPOs, the next step is to implement "Removing CPassword preferences" which is at the bottom of the webpage, asking to do the 6 steps that I've mentioned in my post.

After I ran Get-SettingsWithCPassword.ps1, I know the culprit GPOs. I can see that the password field is greyed out BUT the XML still has CPassword which can be decrypted.

If I use powershell to remotely reset Local Admin password from all the servers, that should make CPassword decryption useless?
Technical Specialist
Awarded 2017
Distinguished Expert 2018
Commented:
Shaun VermaakTechnical Specialist
Awarded 2017
Distinguished Expert 2018
Commented:
Technically you have mitigated the vulnerability once you have changed the password. If you have not changed the password yet, you should.
You have just posted your password to the world :)
S************$
Nitin PandeyInfrastructure Engineer

Author

Commented:
Thanks Sahun. Well, that was a screenshot from Google. Rwmoved it anyhow.

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial