域环境中的组策略安全测试

1 组策略的部署与更新

1.1 组策略的部署

Windows 2016 comes with Server Manager Group Policy Management Tool

More professional group policy management tool GPMC, which can manage multiple domains

Create and edit the content of a group policy

Group policies are divided into host policy and user policy, machine and users directory; script type and non-script type, script directory

1.2 组策略的存储

is stored in the domain server, \\domain\sysvol\policies is stored in plaintext as xml, ini, inf and other files

Open read permissions to all users in the domain

1.3 组策略的更新

The client actively obtains the group policy every 90 minutes to check whether the group policy has changed.

Clients use gpupdate /force to force group policy to be checked immediately

Parameters can be divided into host and user, gpupdate /force /target:computer

1.4 组策略的下发与获取

kerberos protocol authentication

LDAP protocol search

SMB protocol download

Query principle of group policy LDAP searches all group policies, which belong to its own query policies, and which policies the server decides to return (version number is an important factor in the decision)

2 组策略密钥攻防

2.1 组策略中的口令明文

Deploy login scripts through VB scripts

It was more common before 2003 and is now abandoned.

2.2 组策略中的口令密文

Microsoft released GPP (Group Policy Preferences) in Windows 2008, KB943729, which was disabled on Windows 2016.

In some scenarios, use credentials are stored:

Mapping driver (Drivers.xml)

Create/Update Services (Services.xml)

Create a local user

ScheduledTasks.xml)

DataSources.xml)

Change local Administrator password

Printer configuration (Printers.xml)

Take creating a local user using Group Policy as an example:

win 2003

win 2008

Group Policy Content:

The plaintext password is encrypted by AES, but the key is fixed:

2.3 破解口令密文

Use Get-GPPPassword in PowerSploit to get the password in Group Policy:

Get-GPPPassword

3 利用组策略攻击客户端

Issue Group Policy to the client: