Avatar of Nitin Pandey
Nitin Pandey
Flag for Australia asked on

MS14-025: Fixing the GPP Cpassword vulnerability.

Hi team,

Have inherited an environment and have been advised to work on MS14-025: Fixing the GPP Cpassword vulnerability.

Common way to remediation:

1. In GPMC, open the preference that contains CPassword data.
2. Change the action to Delete or Disable, as applicable to the preference.
3. Click OK to save your changes.
4. Wait for one or two Group Policy refresh cycles to allow changes to propagate to clients.
5. After changes are applied on all clients, delete the preference.
6. Repeat steps 1 through 5 as needed to clean your whole environment. When the detection script returns zero results, you are finished.

My question; if I use https://4sysops.com/archives/change-the-local-administrator-password-on-multiple-computers-with-powershell/#chaging-the-password-on-multiple-computers to reset built in Administrator account password, isn't it fixing the vulnerability?

Active Directory

Avatar of undefined
Last Comment
Nitin Pandey

8/22/2022 - Mon

Unless I am mistaken, but https://support.microsoft.com/en-us/help/2962486/ms14-025-vulnerability-in-group-policy-preferences-could-allow-elevati update addresses this. If you are running WSUS or patch management system you can confirm and make sure this is installed on your environment.

I do not think you need to take the actions you describe.
Nitin Pandey

Thanks yo_bee.

From what I understand, detecting cpassword GPOs is mentioned under Deprecation of CPassword. To detect, run the script which is exampled under Get-SettingsWithCPassword.ps1

Above step will provide us with the GPOs with CPassword hash enabled. Once we know the culprit GPOs, the next step is to implement "Removing CPassword preferences" which is at the bottom of the webpage, asking to do the 6 steps that I've mentioned in my post.

After I ran Get-SettingsWithCPassword.ps1, I know the culprit GPOs. I can see that the password field is greyed out BUT the XML still has CPassword which can be decrypted.

If I use powershell to remotely reset Local Admin password from all the servers, that should make CPassword decryption useless?
Shaun Vermaak

Log in or sign up to see answer
Become an EE member today7-DAY FREE TRIAL
Members can start a 7-Day Free trial then enjoy unlimited access to the platform
Sign up - Free for 7 days
Learn why we charge membership fees
We get it - no one likes a content blocker. Take one extra minute and find out why we block content.
Not exactly the question you had in mind?
Sign up for an EE membership and get your own personalized solution. With an EE membership, you can ask unlimited troubleshooting, research, or opinion questions.
ask a question
Log in to continue reading
Log In
Sign up - Free for 7 days
Get an unlimited membership to EE for less than $4 a week.
Unlimited question asking, solutions, articles and more.
Nitin Pandey

Thanks Sahun. Well, that was a screenshot from Google. Rwmoved it anyhow.
All of life is about relationships, and EE has made a viirtual community a real community. It lifts everyone's boat
William Peck