MS14-025: Fixing the GPP Cpassword vulnerability.

Hi team,

Have inherited an environment and have been advised to work on MS14-025: Fixing the GPP Cpassword vulnerability.

Common way to remediation:

1. In GPMC, open the preference that contains CPassword data.
2. Change the action to Delete or Disable, as applicable to the preference.
3. Click OK to save your changes.
4. Wait for one or two Group Policy refresh cycles to allow changes to propagate to clients.
5. After changes are applied on all clients, delete the preference.
6. Repeat steps 1 through 5 as needed to clean your whole environment. When the detection script returns zero results, you are finished.

My question; if I use https://4sysops.com/archives/change-the-local-administrator-password-on-multiple-computers-with-powershell/#chaging-the-password-on-multiple-computers to reset built in Administrator account password, isn't it fixing the vulnerability?

Thanks.
Nitin PandeyInfrastructure EngineerAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

yo_beeDirector of Information TechnologyCommented:
Unless I am mistaken, but https://support.microsoft.com/en-us/help/2962486/ms14-025-vulnerability-in-group-policy-preferences-could-allow-elevati update addresses this. If you are running WSUS or patch management system you can confirm and make sure this is installed on your environment.


I do not think you need to take the actions you describe.
Nitin PandeyInfrastructure EngineerAuthor Commented:
Thanks yo_bee.

From what I understand, detecting cpassword GPOs is mentioned under Deprecation of CPassword. To detect, run the script which is exampled under Get-SettingsWithCPassword.ps1

Above step will provide us with the GPOs with CPassword hash enabled. Once we know the culprit GPOs, the next step is to implement "Removing CPassword preferences" which is at the bottom of the webpage, asking to do the 6 steps that I've mentioned in my post.

After I ran Get-SettingsWithCPassword.ps1, I know the culprit GPOs. I can see that the password field is greyed out BUT the XML still has CPassword which can be decrypted.

If I use powershell to remotely reset Local Admin password from all the servers, that should make CPassword decryption useless?
Shaun VermaakTechnical SpecialistCommented:

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Shaun VermaakTechnical SpecialistCommented:
Technically you have mitigated the vulnerability once you have changed the password. If you have not changed the password yet, you should.
You have just posted your password to the world :)
S************$
Nitin PandeyInfrastructure EngineerAuthor Commented:
Thanks Sahun. Well, that was a screenshot from Google. Rwmoved it anyhow.
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Active Directory

From novice to tech pro — start learning today.