Group Policy Blog

Hijacking Administrative Templates

As I think about Group Policy as a target for attackers, there are many obvious avenues to take advantage of a poorly protected GP infrastructure. I’ve written about many of these here: Sending GPOs Down the Wrong Track–Redirecting the GPT Group Policy Security– Tinkering with External Paths Protecting Active Directory–Making AD and Group Policy Less […]

What Does Group Policy Do When It Can’t Contact a DC?

The title of this blog tells it all. I got asked the question–what happens to GP processing when a client machine isn’t on the network and can’t connect to it’s domain Domain Controllers (DCs)? Does policy get removed? Does it just stay where it is? Can I temporarily override policy by editing the local GPO? […]

Sending GPOs Down the Wrong Track–Redirecting the GPT

At this blog title implies, this is a bit of a science experiment. Many years ago I played around with this idea that, there is nothing in the GP infrastructure that REQUIRES you to use SYSVOL to store the settings files that compose most in-the-box policy areas. At the time, I recall not being able […]

Group Policy Security– Tinkering with External Paths

If you’ve been following this blog, you know that about 2 and half years ago, I started talking about Group Policy’s precarious role in the typical enterprise’s security posture. Many, if not most, AD shops use GP to perform security hardening on their Windows desktops and servers. This includes everything from tweaking OS settings to […]

Performing a Denial of Service on AD–How Hard Is it Really?

I was motivated to write this post based on a vendor blog that I read recently, that talked about ways to maliciously perform what amounted to a denial of service attack on AD. Ostensibly the post was designed to sell software, which I don’t begrudge, but it got me thinking–how easy is this to do, […]

Protecting Active Directory–Making AD and Group Policy Less “Visible” to Attackers

A couple of weeks ago, I gave a webinar for Semperis, on the topic of protecting AD from attackers. I presented 5 tips on the things you can do within your AD and Windows environments, to protect against “information exposure” that might allow an attacker to find paths of higher privilege within your AD environments. […]

Sick of WannaCry? Don’t Read This…

I saw a humorous tweet today that said something to the effect that the number of blog posts about the recent “WannaCry” ransomware attack have now exceeded the number of infected machines. I am loathe to add truth to that saying, but I, of course, have something to say about it, so here we go… […]

Group Policy as Malware Delivery System

While the title to this post┬ámay sound a bit scary or ominous, the subject of this post is definitely real. A fellow IT guy whom I’ve known for many years, alerted me to a situation he came across in an IT shop he was helping. Namely, the┬ácustomer’s computers got infected with a ransomware virus, which […]

Security Fun: Bloodhound, MS16-072 and GPO Discoverability

I had a chance to attend my first BlackHat/Defcon conference last week in Las Vegas. I also attended the very excellent BSides conference, happening concurrently. Besides being shaken to my core from the skills demonstrated during the week :-), I got a chance to see some excellent talks related to Windows security and some super […]

MS16-072 – GP Permissions and an overview

Hello Group Policy fans enthusiasts happy people! Darren and I had a quick discussion about his script to remediate the problems created by applying MS16-072 and GP processing. Read Darren’s previous post for context but here is a recording of our discussion. Have a good day and happy troubleshooting! Kevin