Microsoft Hardens GPO by Fixing Two Serious Vulnerabilities.

Published: 2015-02-11
Last Updated: 2015-02-11 16:15:22 UTC
by Johannes Ullrich (Version: 1)
2 comment(s)

Microsoft released more details about two vulnerabilities patched on Tuesday. Both patches harden Microsoft's group policy implementation. [1]

Group policy is a critical tool to manage larger networks. Not just enterprises, but also a lot of small and medium size businesses depend on group policies to implement and enforce baseline configurations. With the ability to manage systems remotely comes the risk of someone else impersonating and altering these group policies.

Windows can be configured to retrieve a remote login script whenever the user logs in. Whenever the user logs in, the system attempts to run this script, even if the system is connected to a "foreign" network (e.g. Coffee Shop, SANS Conference Hotel Network ...). The attacker could now observe these requests, and setup a server to respond to them and deliver a malicious file. The victim will (happily?) execute the file.

You would think that this should fail, as the attacker's server can not be authenticated. However, it turns out that if the client can't find a server that supports authentication, it will fall back to one that does not support any authentication mechanisms. After the patch is applied, the client will require that the server supports methods for the client to verify the server's authenticity.

The second bug patched affected systems that were not able to receive a policy, or systems that received a corrupt policy. In this case, the system would revert to a default configuration, which may not include some of the protections the actual configuration provided. 

MS15-011 is a "must apply" patch for any system traveling and connecting to untrusted networks. For internal systems, this is less of a problem, but should not be ignored either as it may be used for lateral movement inside a network. But even then, the attack is more difficult as it competes with the legitimate server.

For more details, please refer to the Microsoft blog.



Johannes B. Ullrich, Ph.D.

Keywords: gpo microsoft patches
2 comment(s)


Did everyone catch that MS15-011 does not only require that you install it, but that you also configure settings in group policy? A quote from the Microsoft Bulletin: "To be protected from the vulnerability described in this bulletin, additional configuration by a system administrator is required in addition to deploying this security update. For more information about this update, see Microsoft Knowledge Base Article 3000483."

Here's the link to the article describing the group policy changes required:
I'm a bit surprised that much of the talk about the MS15-011 patch isn't highlighting the fact that it is not just a patch. If you use GPOs, you also need to make and push a policy change to enable the UNC Hardened Access. The config change is described in the 3000483 KB article.

Diary Archives