How Hackers Exploit Group Policy Objects (GPOs) to Attack Your Active Directory

Psst! Want to know a great way to spread ransomware across a corporate network? Compromise the organization’s Group Policy.

Want to know a great way to cripple an organization’s defenses against data theft? Compromise Group Policy.

In fact, want to know a great way to essentially gain full control over an entire Active Directory domain? Compromise Group Policy.

Don’t worry — I’m not giving away any secrets to hackers. They already know all this. In fact, they’ve been actively exploiting this power feature of Active Directory to steal data, plant malware and otherwise undermine IT security for years. Want proof? Well, FireEye’s 2016 M-Trends report describes an attacker attempting to distribute ransomware through Group Policy objects (GPOs) way back in 2015, and there’s every reason to think similar Active Directory attacks were happening well before then.

Feeling a little behind in your defense strategy? Don’t despair. Here’s what you need to know to get started dramatically reducing your cybersecurity risk.

Why hackers target Group Policy

Hackers target Group Policy for two main reasons: it’s extremely powerful and it’s extremely vulnerable.

How powerful is it?

As you probably know, Group Policy enables centralized management of users and computers in any Microsoft Active Directory environment, and each group of related settings is called a Group Policy object. Here are just a few examples of the literally thousands of useful things you can do with them:

  • Lock an account after a certain number of incorrect passwords are entered.
  • Block unidentified users on remote computers from connecting to a network share.
  • Give all business users a standard set of bookmarks so they can easily reach your helpdesk or access other important resources.
  • Restrict access to certain folders.
  • Install the same software on all of your domain controllers (DCs).
  • Disable the command prompt on users’ machines.
  • Ensure Windows updates are applied promptly.
  • Disable use of the NTLM v1 authentication protocol (which is weaker than Kerberos).

It doesn’t take a great deal of imagination to see how GPOs can be abused to circumvent security controls and gain access to sensitive data. All you need to do is take the policies listed above and think of the reverse:

  • Allow unlimited attempts to guess an account password.
  • Allow unidentified users on remote computers from connecting to a network share.
  • Replace the standard set of bookmarks with links to malicious sites.
  • Allow access to folders with critical data.
  • Install malicious software on all of your DCs.
  • Enable the command prompt on users’ machines.
  • Stop applying Windows updates.
  • Enable use of the weaker NTLM v1 authentication protocol.

Any one of these changes could seriously damage your organization — and the change would propagate across the network within minutes or even seconds. If that’s not a powerful technology, I don’t know what is.

What makes it vulnerable?

The other factor that makes Group Policy such an attractive target is that it is vulnerable on multiple fronts. First of all, it’s an open book. The design of Active Directory ensures that every user can see the policies you have, where they’re applied and who has access to them. What’s more, IT teams usually use descriptive names for objects in Active Directory, which simplifies administration but has the unfortunate side effect of giving hackers critical information they can use to direct and hone their attacks.

Moreover, despite its power, Group Policy typically isn’t at the center of an organization’s security strategy. It may not even be in a footnote, since it’s often seen as a “set it and forget it” technology. At the same time, it is often very complex, with thousands of policies created to address specific issues over the years — and lots and lots of people who have been delegated permissions to create, modify and delete those GPOs. It can be incredibly hard to untangle it all, and it’s risky to remove policies and delegated admins without proper research and attestation. As a result, too many organizations don’t even try. That leaves their IT ecosystem extremely vulnerable.

How attacks work

Now that we know why attackers target Group Policy, let’s explore how they manage to compromise it. Unfortunately, it’s easier than you might think. First of all, hackers need to gain a foothold in your IT ecosystem. Unfortunately, that often doesn’t require sophisticated skills or exotic techniques: A password spraying attack will likely quickly locate a user account with a perennially common password like “123456” or “password”, or a trending favorite like “CovidSucks2020!”. In fact, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) reports that two of the top ways that the threat actors behind recent hacks gained initial access to victim organizations were the tried and true basic tactics of password guessing and password spraying.

Once attackers get an initial foothold, they don’t need much technical know-how to understand your GPOs and figure out which accounts to target in order to get access to the ones they need. They have several “Easy” buttons”: BloodHoundPowerSploit and Mimikatz are just three examples of open-source tools that will do the heavy lifting for them. For instance, BloodHound will quickly give attackers all the information they need — even if your environment is complex, with lots of policies and blocked inheritances and so on. The attacker essentially says, “I think I want access to this system; what GPOs are applied to that system and who are the administrators for those GPOs?” and BloodHound will spit out the details, including a list of exactly which accounts they need to target using spear phishing or other attack vectors.

Once one of those credential-seeking attacks succeeds, it’s game over. Group Policy provides access to and control over every system, so it provides hackers with the means to accomplish just about any task — while also avoiding detection. They can deploy ransomware or exfiltrate data, and then drop a little bit of code that will execute on all your DCs to scorch all the evidence of their activity on their way out.

Reduce your AD attack surface

Reduce your AD attack surface.

See where you’re exposed and how to remediate it.

How to fight back

Clearly, if you want to strengthen your Active Directory security, you need effective Group Policy management. Microsoft offers the Group Policy Management Console (GPMC), a free tool that assists with a variety of tasks, as well as a set of GPMC interfaces for programmatic access to many operations. However, both of these tools have limitations, and they don’t help you eliminate the heart of the problem: all those juicy accounts that have been delegated permissions to modify your GPOs — accounts that tools like BloodHound are only too capable of identifying and serving right up to hackers. Organizations often have dozens or hundreds of such accounts, all ripe for takeover.

A great way to dramatically slash your attack surface area is to pare the number of accounts with GPO access rights down to a bare minimum. Of course, the permissions of Domain Admins and Enterprise Admins cannot be removed, but if you had just one other account with rights over your policies, instead of dozens or hundreds, just think how frustrating that would be to any attacker.

A proxy-based solution like GPOADmin gives you that functionality. You register all of your GPOs in GPOADmin and remove all the native delegation that leaves you so vulnerable. BloodHound and other snooping tools instantly become useless, since only Domain Admins, Enterprise Admins and GPOADmin itself have permissions to modify your GPOs. Additionally, you can ensure that no one — including users who have access to GPOADmin — can make certain modifications, which inoculates your most critical settings from being changed at all.

Just these two measures — eliminating GPO delegation and blocking changes to crucial settings — will take you light years toward your goal of keeping hackers out of your GPOs. If you’re interested in additional proven strategies for strengthening Active Directory security, check out the eBook below.

Five ways to secure your Group Policy

Almost every organization uses Group Policy to configure and secure Active Directory, which makes it an extremely appealing target for hackers. Learn five proven strategies for strong GPO security— and tools that make it easy to implement them.

Download the Guide

About the Author

Matthew Vinton

Matthew Vinton is a pre-sales engineer at Quest Software serving Quest's largest accounts. Matthew specializes in Microsoft platform management, specifically migrating, managing, and securing workloads both on premises and in the cloud. Prior to joining Quest, Matthew was a consultant for over thirteen years in the Microsoft platform technology space where he specialized in Active Directory engineering and migration, Microsoft messaging, unified communications and endpoint management platforms.

Related Articles