A couple of weeks ago, I gave a webinar for Semperis, on the topic of protecting AD from attackers. I presented 5 tips on the things you can do within your AD and Windows environments, to protect against “information exposure” that might allow an attacker to find paths of higher privilege within your AD environments. If you’ve been a longtime reader of my blog, you know that this has been a topic of high interest to me since I first wrote about the excellent tool– Bloodhound, which uses information within AD and your Windows environment, along with a graph engine, to find lateral movement paths to highly privileged (e.g. Domain Admins) access. Indeed I’ve talked about this mostly in the context of Group Policy, and that is a part of the story, but for sure there is a broader story here that encompasses AD and your Windows systems in general, along with GP, and that’s what I cover in this webinar. But, I do also focus on the GP angle of this and introduce a new PowerShell script to help you lockdown your GPOs.
A New GP Script
In the webinar, I gave 5 tips (and a bonus one) that sought to directly address the common paths that tools like Bloodhound seek to exploit today. One of those relates to finding GPOs that contain settings that grant privileged access within your environment. There are a set of well-known policy areas that are commonly used in many environments to confer, for example, local admin access across workstations and desktops (e.g. Restricted Groups policy or GP Preferences Local Users and Groups) or user rights that confer admin-level privileges on systems (e.g. User Rights Assignment). GPOs that implement these policy areas, I’ve argued in the past, should not be “world-readable”. In other words, if you saw a delegation that included “Authenticated Users” with Read or ReadApply permissions on one of these GPOs, then you were asking for a potential attacker to be able to easily find and read them, and determine what users and groups you had privileged access to on which systems. As a result, I created a new PowerShell script called “Get-VulnerableGPO” that uses the GP Settings parser in my GPMC PowerShell module 2.0 to identify GPOs with these settings, that are world-readable, so that you can find them and lock them down.
In the webinar, I introduce the Get-VulnerableGPO script mentioned above. You can view a recording of the webinar here, which includes not only tips for locking down GP, but also guidance on hardening AD and your Windows environment in general to minimize information exposure.