Change local administrator passwords with Group Policy Preferences

Okay, this is an update on the suggestion to use the Preferences to push passwords with GPP. Looking at the underlying implementation, you can see that it isn’t as security as you may find in the first place.

The passwords are encrypted with an 256bit AES key. As AES is a symmetric encryption algorithm, the key to encrypt the passwords is equivalent (=the same) as the key to decrypt it. The second thing is that the XML files the encrypted passwords are stored in are saved on the SYSVOL where all ‘authenticated users’ have read access to. So if I have the key that is used for encrption/decryption, I can get all of your GP Preference pushed passwords.

So — it is not recommended to use GP Preferences for service or administrative accounts.

Yeah, you can do that. It’s a pretty easy thing to do.

Here we go: Navigate to CompConf\Preferences\Control Panel Settings\Local Users and Groups right-click – new – local user. The “New Local User Properties” window pops up. This is the place to make the changes.

Â

As action, we leave “update”. From the “User name” box, we choose the predefined “Administrator (built-in)”. We could now go and rename it, but we’ll leave it here with “Administrator” as its name. To improve the machine’s security, you might want to remove it. That prevents people from trying to “hack” the Administrator by pressing CTRL+ALT+DEL and trying some passwords. Renaming the adminstrator won’t help you lock out scripts and applications that try to do evil things with the Administrator-account. At least not with the smart ones. Â

Anyway, the real point is you need to type in a new password and afterwards confirm it. Be sure to clear the “User must change password at next logon” box. You could lock the administrator and services that use that account if you configured them so. Clicking OK creates the preference.

Now, how’s the password stored and how is it secured? You surely know that GPP use XML to store settings and stuff. Using GPMC you can view the GUID of your policy. To have a look at the XML file Preference created, you need to navigate to the location it is stored:

\\servername\SYSVOL\domain.tld\Policies\{policyGUIDgoeshere}\Machine\Preference\Groups – the XML is called Groups.XML and after opening, it has the following content:

<?xml version=”1.0″ encoding=”utf-8″?>
<Groups clsid=”{3125E937-EB16-4b4c-9934-544FC6D24D26}”><User clsid=”{DF5F1855-51E5-4d24-8B1A-D9BDE98BA1D1}” name=”Administrator (built-in)” image=”2″ changed=”2008-08-15 09:58:38″ uid=”{20C531C7-1652-496D-AFBA-29BAFFA3D739}”><Properties action=”U” newName=”" fullName=”" description=”" cpassword=”wWHINHyXsbFOBhpQ/fMKJwEEg3Ko0Es+RskCj/W6F8I” changeLogon=”0″ noChange=”0″ neverExpires=”0″ acctDisabled=”0″ subAuthority=”RID_ADMIN” userName=”Administrator (built-in)”/></User>
</Groups>

As you can see, there is a section with “cpassword”. Well, looking at the password in my file, I can say the password at least isn’t stored as clear text, which is a good thing. How’s it stored then? According to a recent Group Policy Team Blog posting, not only the “Local Users and Groups” password but all passwords created and processed by Group Policy Preference is encrypted with 256bit AES. Good to know!

9 Comments so far

  1. Anon on September 17th, 2009

    What sort of key, is used for this encrypted data? Is the encrypted the raw password, or a hash?

    Is the key the password? In which case what is the plain text?

  2. florian on September 17th, 2009

    Hey Anon,

    I haven’t look into the specifics — the product group didn’t tell us either. I would have to look into the source code to check that but I believe it’s the raw password that is encrypted with the “public” key.

    Cheers,
    Florian

  3. Anon on September 23rd, 2009

    I wonder which DLL stores encryption/decryption, might have to disassemble the GPMC files. Just so I know how secure it is.

  4. florian on September 23rd, 2009

    You won’t find that part of the code in GPMC as it’s only used for GP administration.

    You’d have to dig through GP Preference CSEs for that.

    Cheers,
    Florian

  5. Anon on September 25th, 2009

    Found code in there which relates to cpassword, will disassemble when I get home and keep you posted.

  6. StuartH on November 4th, 2009

    Did you find out how this was encrypted/decrypted ? How is the key derived ? If you changed the password, then of course the hash in the XML will change….but will the key change if you update the password at a later date or is the same key used time and time again ?

  7. florian on November 4th, 2009

    As far as I can tell, it is a _static_ key that is used throughout all de/encryptions. It doesn’t change over time.

  8. hack6500 on March 28th, 2012

    what makes this relevant is that the ALTERNATIVE is to use a clear text .bat file and the ‘net’ command to push the password to the machine. So ANY encryption is better than plain text! contrasting THIS makes your solution MUCH BETTER!

  9. PeDrO on December 7th, 2012

    Hi all, the AES key is published by Microsoft himself:
    http://msdn.microsoft.com/en-us/library/2c15cbf0-f086-4c74-8b70-1f2fa45dd4be.aspx#endNote2

    To understand the process of encryption/decryption see this:
    http://esec-pentest.sogeti.com/exploiting-windows-2008-group-policy-preferences

    Regards,
    PeDrO