Domain Login Introduces Insecurity

The Network: A business school with 3,000 students in New England; 200+ servers and 500+ workstations. Microsoft Windows is the dominant OS.

The Expectation: Laptops provided to faculty and staff are secure; these laptops tend to be mobile and connect to to college resources from off campus locations. To do so they authenticate against Active Directory 2012R2 based Domain Controllers.

The Catch: MS15-011 was released on Feb 10, 2015. This update for Group Policy processing, corrects a weakness which can cause authenticating machines to download and run any scripts configured in the applicable GPO. Domain Controllers were updated but GPO was not hardened, there by exposing authenticating machines (especially traveling laptops) to be exploited.

The Find: Authenticating laptops reporting that they are “configured to retrieve Group Policy files from a file share in an insecure way.”

The Fix: To overcome this vulnerability, the fix must be applied on the Domain Controller and UNC Hardened Access feature enabled where specific servers or shares are to be “tagged” with additional information to inform MUP and UNC providers of security requirements beyond the UNC provider’s defaults. Merely performing Win Update on the Domain Controllers is not sufficient. Group Policy must be hardened as described here.

The Lesson: Merely configuring Windows Update may not be sufficient. An assessment of configuration defaults would have helped secure this network. Another example of “Defense in Depth”.