+ Post New Thread
Results 1 to 5 of 5
Windows Server 2008 R2 Thread, MS14-025 Removing Passwords from GPP in Technical; Trying to diagnose some issues with a GPP Scheduled Task and I got sent to this: MS14-025 Seems that M$ ...
  1. #1
    Arcath's Avatar
    Join Date
    Feb 2009
    Location
    Lancashire
    Posts
    972
    Thank Post
    102
    Thanked 116 Times in 101 Posts
    Rep Power
    74

    MS14-025 Removing Passwords from GPP

    Trying to diagnose some issues with a GPP Scheduled Task and I got sent to this: MS14-025

    Seems that M$ have decided that you cant store passwords in group policy any more and haven't given us any alternative. More than a little annoying I have loads of tasks that run installers etc... as administrator that are now un-editable and not viable.

    Seems a bit harsh, what was wrong with the little message box saying that if a user got into your SYSVOL folder they would be able to un-hash the password? I understood the risks and accepted them, now I have no choice and no way of running programs and users other than SYSTEM or the currently logged in user.

  2. Thanks to Arcath from:

    Michael (3rd July 2014)

  3. #2

    Michael's Avatar
    Join Date
    Dec 2005
    Location
    Birmingham
    Posts
    9,261
    Thank Post
    240
    Thanked 1,568 Times in 1,250 Posts
    Rep Power
    340
    Thanks for this. It appears existing tasks are kept 'as is', but new tasks only allow you to specify the domain\username. Maybe the password isn't required at all?

  4. #3

    Michael's Avatar
    Join Date
    Dec 2005
    Location
    Birmingham
    Posts
    9,261
    Thank Post
    240
    Thanked 1,568 Times in 1,250 Posts
    Rep Power
    340
    What's interesting is Microsoft are saying SYSVOL is encrypted using 32 Byte AES which is weak, so why not just change or increase the encryption level I wonder?

  5. #4

    Gatt's Avatar
    Join Date
    Jan 2006
    Posts
    6,658
    Thank Post
    858
    Thanked 646 Times in 429 Posts
    Rep Power
    498
    Curiously the KB Article ID (2962486) Doesn't show in the likes of SCCM 2012
    Was going to pull the update from our SUP deployments for the meantime until we'd assessed it - so I suspect MS are sneaking it in with another update!

  6. #5

    Gatt's Avatar
    Join Date
    Jan 2006
    Posts
    6,658
    Thank Post
    858
    Thanked 646 Times in 429 Posts
    Rep Power
    498
    I'm getting a little worried about the Microsoft bods...

    Several of the Group Policy Preferences allow credentials to be specified. When this option is used, the password is symmetrically encrypted using a static key and written to the XML file along with the rest of the settings. What is this key you ask? It turns out, we document it on MSDN :2.2.1.1.4 Password Encryption.
    Sources: MS14-025: An Update for Group Policy Preferences - Security Research & Defense - Site Home - TechNet Blogs

    (emphasis = mine)

SHARE:
+ Post New Thread

Similar Threads

  1. Replies: 1
    Last Post: 17th January 2011, 02:36 PM
  2. How Do I Remove Items From The System Tray.
    By tickmike in forum Windows
    Replies: 13
    Last Post: 6th September 2006, 10:32 PM
  3. Bulk Remove Users from OU?
    By indiegirl in forum How do you do....it?
    Replies: 11
    Last Post: 17th August 2006, 03:23 PM
  4. Transfer Accounts & Passwords from NT4 PDC to Server 2003
    By OutToLunch in forum How do you do....it?
    Replies: 11
    Last Post: 24th July 2006, 02:03 PM

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •