For its February 2015 Patch Tuesday on Tuesday February 10, Microsoft has released two security bulletin to address issues in Group Policy that would allow an attacker using a Man-in-the-middle (MitM) approach to bypass security policies, by forging packets sent by Domain Controllers.
In many organizations, Group Policies are used to centrally configure settings, printers, drivers and software.
These settings and preferences can be applied locally using gpedit.msc and secpol.msc. However, settings and preferences can also be set centrally using Active Directory on the site, domain and even granularly per Organizational Unit (OU). Tools used are gpmc.msc and, again, gpedit.msc. For non-domain-joined devices, the Security Configuration Manager (SCM) Solutions Accelerator and Offline Domain Join (ODJ) can be used to configure settings.
Responsible for applying security settings from both the local computer security policy and Group Policy objects on a device, is the Security Configuration Engine. It receives and applies the policy data in policy files and makes sure they get applied.
Multiple issues exist with Group Policy that can be used to cause undesired behavior:
First, an issue has been identified in the way how the Security Configuration Engine picks up Group Policy.
By default, the Security Configuration Engine on domain-joined devices automatically downloads security settings in updated Group Policy Objects (GPOs) from SYSVOL, which the scecli.dll part of the Security Configuration Engine discovers and accesses using the Universal Naming Convention (UNC) paths.
An attacker may spoof, tamper with, or redirect communications between the UNC provider and devices, and subsequently may be able to cause Group Policy to execute his or her programs or scripts. A common attack vector for this would be for an attacker to introduce a rogue Wi-Fi access point connected to the corporate wired network, optionally configured with the same SSID as the corporate Wi-Fi.
A second vulnerability exists whereby Group Policy could fail to retrieve valid security policy settings, because one or more Security Configuration Engine configuration files (gpttmpl.inf per Group Policy Object, configured with security settings) are corrupted or otherwise unreadable when they are interpreted by the scesrv.dll part of the Security Configuration Engine.
An attacker can achieve this by modifying the responses sent by Active Directory Domain Controllers with a Man-in-the-Middle (MitM) approach. The behavior of the Group Policy Security Configuration Engine, then, is to apply default, potentially less secure, group policy settings, instead of the domain-configured settings.
Microsoft introduces UNC Hardened Access to address this vulnerability. This is a new Windows feature, that provides mitigations against Man-in-the-Middle attacks for any UNC paths that host executable programs, script files or files that control security policies and improves the protection and handling of data when Windows-based devices access UNC paths.
UNC Hardened Access is available as KB3000483. It is accompanied by KB30004375, which is installed transparently with KB3000483. It is rated as a critical update for all supported versions of Windows and Windows Server. An update is currently not available for Windows Server 2003. This lack of support means there is no way to ensure mutual authentication and Server Message Block (SMB) Signing are actually enforced when Windows Server 2003-based Domain Controllers are in use. (However, default settings on Windows Server 2003-based Domain Controllers are to require SMB Signing.) Additionally, domain-joined Windows Server 2003-installations can not be configured with UNC Hardened Access.
An update is available from Microsoft that address this vulnerability, by correcting how Group Policy settings are applied when a Group Policy Security Configuration Engine policy file is corrupted or otherwise unreadable.
This update is available as KB3004361 and is rated as an important update for all supported versions of Windows and Windows Server. An update is also available for Windows Server 2003.
Call to Action
To introduce UNC Hardened Access and protect against UNC-based Man-in-the-Middle (MitM) attacks, install KB3000483. Then, in a Group Policy scoped for devices with the update, configure UNC Hardened Access in Computer Configuration, Administrative Templates, Network, Network Provider. Enable the Hardened UNC Path setting.
Behind the Show… button, define shares and their UNC Hardened Access behaviors:
RequireMutualAuthentication enforces Kerberos-based mutual authentication. RequireIntegrity and RequirePrivacy turn on SMB Signing.
Test both the update and the configuration in a test environment, to assess the risk and possible impact on your production environment and then, roll out this update to all devices within scope. After that, configure the additional Group Policy Settings.
Microsoft has not identified any mitigating factors or workarounds, so I urge you to install KB3004361 in a test environment as soon as possible, assess the risk and possible impact on your production environment and then, roll out this update to all devices within the Active Directory environment.
Related Knowledgebase articles
3000483 MS15-011: Vulnerability in Group Policy could allow remote code execution
3004361 MS15-014: Vulnerability in Group Policy could allow security feature bypass
887429 Overview of Server Message Block signing
MS15-011 Vulnerability in Group Policy Could Allow Remote Code Execution
MS15-014 Vulnerability in Group Policy Could Allow Security Feature Bypass
MS15-011 & MS15-014: Hardening Group Policy
Security Configuration Engine Architecture