We help IT Professionals succeed at work.

MS14-025: Fixing the GPP Cpassword vulnerability.

Nitin Pandey
Nitin Pandey asked
on
322 Views
Last Modified: 2018-12-11
Hi team,

Have inherited an environment and have been advised to work on MS14-025: Fixing the GPP Cpassword vulnerability.

Common way to remediation:

1. In GPMC, open the preference that contains CPassword data.
2. Change the action to Delete or Disable, as applicable to the preference.
3. Click OK to save your changes.
4. Wait for one or two Group Policy refresh cycles to allow changes to propagate to clients.
5. After changes are applied on all clients, delete the preference.
6. Repeat steps 1 through 5 as needed to clean your whole environment. When the detection script returns zero results, you are finished.

My question; if I use https://4sysops.com/archives/change-the-local-administrator-password-on-multiple-computers-with-powershell/#chaging-the-password-on-multiple-computers to reset built in Administrator account password, isn't it fixing the vulnerability?

Thanks.
Comment
Watch Question

yo_beeDirector of Information Technology
CERTIFIED EXPERT

Commented:
Unless I am mistaken, but https://support.microsoft.com/en-us/help/2962486/ms14-025-vulnerability-in-group-policy-preferences-could-allow-elevati update addresses this. If you are running WSUS or patch management system you can confirm and make sure this is installed on your environment.


I do not think you need to take the actions you describe.
Nitin PandeyInfrastructure Engineer

Author

Commented:
Thanks yo_bee.

From what I understand, detecting cpassword GPOs is mentioned under Deprecation of CPassword. To detect, run the script which is exampled under Get-SettingsWithCPassword.ps1

Above step will provide us with the GPOs with CPassword hash enabled. Once we know the culprit GPOs, the next step is to implement "Removing CPassword preferences" which is at the bottom of the webpage, asking to do the 6 steps that I've mentioned in my post.

After I ran Get-SettingsWithCPassword.ps1, I know the culprit GPOs. I can see that the password field is greyed out BUT the XML still has CPassword which can be decrypted.

If I use powershell to remotely reset Local Admin password from all the servers, that should make CPassword decryption useless?
Senior Consultant
CERTIFIED EXPERT
Awarded 2017
Distinguished Expert 2019
Commented:
This problem has been solved!
(Unlock this solution with a 7-day Free Trial)
UNLOCK SOLUTION
Shaun VermaakSenior Consultant
CERTIFIED EXPERT
Awarded 2017
Distinguished Expert 2019
Commented:
This problem has been solved!
(Unlock this solution with a 7-day Free Trial)
UNLOCK SOLUTION
Nitin PandeyInfrastructure Engineer

Author

Commented:
Thanks Sahun. Well, that was a screenshot from Google. Rwmoved it anyhow.

Gain unlimited access to on-demand training courses with an Experts Exchange subscription.

Get Access
Why Experts Exchange?

Experts Exchange always has the answer, or at the least points me in the correct direction! It is like having another employee that is extremely experienced.

Jim Murphy
Programmer at Smart IT Solutions

When asked, what has been your best career decision?

Deciding to stick with EE.

Mohamed Asif
Technical Department Head

Being involved with EE helped me to grow personally and professionally.

Carl Webster
CTP, Sr Infrastructure Consultant
Empower Your Career
Did You Know?

We've partnered with two important charities to provide clean water and computer science education to those who need it most. READ MORE

Ask ANY Question

Connect with Certified Experts to gain insight and support on specific technology challenges including:

  • Troubleshooting
  • Research
  • Professional Opinions