none
Group Policy Preferences Vulnerabilty - Does Microsoft suggest that we delete or disable local administrator?

    Question

  • Hi,

    To address the Group Policy Preference vulnerability, my understanding in this article is to 1) change local administrator password to some random password and 2) Disable or delete the existing Local Administrator password  3) Create a restricted group with administrator group in there.

    https://support.microsoft.com/en-us/help/2962486/ms14-025-vulnerability-in-group-policy-preferences-could-allow-elevati

    If that's the case, then is Microsoft suggesting of completely getting rid of local administrator account?

    I know there is LAPS as a solution in managing local admin passwords but I was thinking of, deleting the existing local administrator and create a new one. But how do I do that enterprise-wide if the "Create New local Administrator" is no longer available in GPP?

    My other question is, If I change the local administrator password to all my workstations now, does this alone address the vulnerability mentioned above?

    Thursday, June 14, 2018 8:09 PM

Answers

  • Hi,

    Thanks for posting in our forum.

    I assume that you have some misunderstood about MS14-025.

    As the article mentioned:

    The vulnerability could allow elevation of privilege if Active Directory Group Policy preferences are used to distribute passwords across the domain - a practice that could allow an attacker to retrieve and decrypt the password stored with Group Policy preferences.

    https://docs.microsoft.com/en-us/security-updates/Securitybulletins/2014/ms14-025

    So, we should remove the stored passwords from SYSVOL folder and after install the security update, input password in Group Policy preference is no longer support.

    Best Regards,

    William


    Please remember to mark the replies as answers if they help and unmark them if they provide no help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    • Marked as answer by DoBongSoon Monday, June 18, 2018 4:15 PM
    Friday, June 15, 2018 2:01 PM

All replies

  • Hi,

    Thanks for posting in our forum.

    I assume that you have some misunderstood about MS14-025.

    As the article mentioned:

    The vulnerability could allow elevation of privilege if Active Directory Group Policy preferences are used to distribute passwords across the domain - a practice that could allow an attacker to retrieve and decrypt the password stored with Group Policy preferences.

    https://docs.microsoft.com/en-us/security-updates/Securitybulletins/2014/ms14-025

    So, we should remove the stored passwords from SYSVOL folder and after install the security update, input password in Group Policy preference is no longer support.

    Best Regards,

    William


    Please remember to mark the replies as answers if they help and unmark them if they provide no help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    • Marked as answer by DoBongSoon Monday, June 18, 2018 4:15 PM
    Friday, June 15, 2018 2:01 PM
  • Thanks for the input! I appreciate it a lot.
    Monday, June 18, 2018 4:15 PM