Group Policies are part of every Active Directory. Group Policy (GP) is designed to be able to change every system's configurations, from list to most privileged layer. Since it is so fundamental in the network management process, it is also very powerful for attackers to use as an attack vector.
Attackers can use GP to gain elevated access through compromised user accounts, for lateral movement, to expand their scope of infection, and to preserve stealth. Although it is a severe threat point to the organization, the GPs management method is often 'set and forget'. Using such a method in such a powerful tool is a paradox. This blog will spread some light about GPs as an attack vector and possible mitigation methods that must be implemented in every organization.
What makes Group Policies an appealing target for attackers:
The basic properties of GP are the reason why it is such an attractive target.
- It exists in every Active Directory, which means it exists in almost every organization.
- It provides both access and control to every system (servers, Domain Controllers, End Points, etc.).
- They cover every task possible.
- You can easily use them to discover group policies and Organizational Groups (OUs).
- GP attackers can easily keep stealth while maintaining control over systems.
Examples of How Attackers Can Access GPs:
- The attacker gains access to an account with 'write' or Admin permissions to the GP- every domain can read the AD and see the group policies. An attacker can do reconnaissance (by using free tools such as BloodHound) and map your network and domains. Once domains with 'write' access are recognized, the attacker can target them.
- Leverage inheritable permissions- attackers can use the 'allow inheritable permissions' option to allocate domain admin rights without being discovered.
- Getting access to systems management accounts- these platforms (such as SCCM) has an admin account that has the right to manage the entire platform. Once the attacker gets access to these accounts, he can control everything through them.
Once an attacker gains access to a privileged GP account, he can basically do whatever he wants. For example, he can add new local admin accounts; scheduled tasks that will, for example, download malware; modify or allocate user rights to users; copy files; etc.
5 Things You Can Do to Mitigate GPO Attacks:
Know your GPO!
Attackers use mapping network mapping techniques as the first step of their attack, but this same technique can be also used for mitigation. Knowing and reassessing access to your GPOs is essential to prevent security risks, including the threat posed by anonymous enumeration of SAM due to misconfigured policies. Using free tools, such as BloodHound, can help you understand who has access to a GPO and who inherits and access.It will help you spot potential lateral movement paths and reevaluate if your current state is answering a 'list privileges' method.
Monitor undesired changes in your GPOs:
In order to detect suspicious activities in your GPOs, you must monitor the assignments. It is a little difficult to do it while using only native tools. You can audit your security logs for changes in your GPOs, but you won't get any information regarding the change itself, and discovering which policy was changed is complex. It is recommended to use third-party tools to monitor these changes.
Have the ability to revert changes:
Keeping track over desired changes is hard enough, which means that having an ability to revert changes is important for basic GPO management and configuration management. When it comes to undesired, malicious changes, it is extremely important to have this ability. Since organizations usually set and forget about their GPOs, once an attacker makes changes in the GPOs, it is often hard to understand what was the policy before the change in order to revert it. You can manually backup your current state, so you can revert yourself in case of a change. It requires manual work, that people often don't do, but it is possible.
Consider not utilizing native delegations:
Native delegation is usually forgotten once it is set, which leads organizations to not even know what they're delegating. You need to either develop a reporting method to keep track of the delegations or use a proxy to document them and produce reports to prevent users from misusing them. Consider avoiding native delegations, particularly for critical settings like ‘password age’, and opt for a more secure delegation protocol.
Have a good change management procedure - the most important!
If you don't know what changes were made and their impact, you'll have no chance to identify malicious activities. You have to audit and verify that only approved changes were made. But easier said than done. As this is the most important mitigation action, it is also the hardest to implement and almost always requires a third party's tool intervention.
How CHS by CalCom can help you protect the operating system of your servers from GPO attacks:
CHS will eliminate the need to use GPOs for implementing policies to your servers. It'll enforce your policy on the servers from centralized control, allowing a ‘least privileges’ protocol allowing only one user privileges that can be harmful if used by the wrong user.
CHS will also monitor and prevent undesired changes. Once a user tries to make a change that breaks the policy, this change is prevented and you get a notification. This allows you to check if this was an innocent mistake by a legitimate user, or an attacker trying to perform an attack.
CHS has a rollback option for your previous policies. In a click of a button, you can implement older policies on your entire infrastructure.
CHS will ease your change management. Since you control your entire infrastructure from a single point (preventing any configuration drifts) and you have everything documented and backed up, it is easy to control the changes made in the policy. In addition, CHS will automatically check the impact of every change you want to implement on your production before you enforce it. CHS will report about the possible impact of every policy change, eliminating the need to check it yourself in a test environment, saving you time, efforts, and risks for outages.