Group Policy Blog

Hijacking Administrative Templates

As I think about Group Policy as a target for attackers, there are many obvious avenues to take advantage of a poorly protected GP infrastructure. I’ve written about many of these here: Sending GPOs Down the Wrong Track–Redirecting the GPT Group Policy Security– Tinkering with External Paths Protecting Active Directory–Making AD and Group Policy Less […]

What Does Group Policy Do When It Can’t Contact a DC?

The title of this blog tells it all. I got asked the question–what happens to GP processing when a client machine isn’t on the network and can’t connect to it’s domain Domain Controllers (DCs)? Does policy get removed? Does it just stay where it is? Can I temporarily override policy by editing the local GPO? […]

Sending GPOs Down the Wrong Track–Redirecting the GPT

At this blog title implies, this is a bit of a science experiment. Many years ago I played around with this idea that, there is nothing in the GP infrastructure that REQUIRES you to use SYSVOL to store the settings files that compose most in-the-box policy areas. At the time, I recall not being able […]

Group Policy Security– Tinkering with External Paths

If you’ve been following this blog, you know that about 2 and half years ago, I started talking about Group Policy’s precarious role in the typical enterprise’s security posture. Many, if not most, AD shops use GP to perform security hardening on their Windows desktops and servers. This includes everything from tweaking OS settings to […]

Speaking in Chicago Next Month!

Hey folks! Just a quick note that I’m giving a talk next month in Chicago. This is a follow-on to the Semperis Hybrid Identity Protection (HIP) Conference that I spoke at last November. This Chicago “Tech Day” event is a one-day event on March 13th in downtown Chicago, featuring a number of great speakers! I’ll […]

Group Policy Storage Whitepaper Updated!

Hey Folks. It’s been too long since I posted here, so I thought I’d break my fast by posting something a bit meaty. Many moons ago, I created a whitepaper, which is on the Gpoguy portion of this site, that described how and where the various areas in Group Policy stored their settings. I finally, […]

Elevating AD Domain Access With Write Access on the Domain NC Head

With this post and my last post, I guess I’m on a path of finding interesting ways to “break” AD. The last post related to AD denial of service and this one relates to an interesting way to get to privileged access on AD by gaining what would seem to be completely unrelated access on […]

Performing a Denial of Service on AD–How Hard Is it Really?

I was motivated to write this post based on a vendor blog that I read recently, that talked about ways to maliciously perform what amounted to a denial of service attack on AD. Ostensibly the post was designed to sell software, which I don’t begrudge, but it got me thinking–how easy is this to do, […]

Protecting Active Directory–Making AD and Group Policy Less “Visible” to Attackers

A couple of weeks ago, I gave a webinar for Semperis, on the topic of protecting AD from attackers. I presented 5 tips on the things you can do within your AD and Windows environments, to protect against “information exposure” that might allow an attacker to find paths of higher privilege within your AD environments. […]

How To Think About Windows Group Policy–An Infrastructure Architect’s Take

Long before I got into the software business, and even during that time, I was first and foremost, an IT guy. I have spent nearly 20 years of my 30+ years in technology in IT–mostly in large organizations. Much of that time, I worked as an infrastructure architect, focusing on how to maintain and improve […]