When the average federal employee logs into their workstation at the beginning of the day, it’s more than likely they are unaware of the thousands of unseen configurations and network controls that power their IT infrastructure. Some portions of the workforce may not even realize that there is a domain controller mitigating these critically important network controls and are responsible for setting authentication, user rights, and resource access in their Active Directory (AD) environments.
As federal AD ecosystems continue to evolve and become more complex, it is becoming increasingly difficult for IT security teams to get a full view of their operating environments, as well as the AD vulnerabilities that malicious actors could use to penetrate federal networks. One emerging challenge that agency IT teams are currently facing is the security threat that unmonitored and misconfigured Group Policy Objects (GPOs) pose to AD environments.
This was a topic of discussion during a recent Quest-sponsored event, where AD security experts, Quest’s Matthew Vinton and Trimarc Security’s Darryl Baker, discussed the elements of a GPO, the potential impact that compromised GPOs can have on federal AD environments, and the available solutions agencies can employ to automate and simplify their attack path management processes.
What are GPOs?
GPOs are tools within Microsoft AD that are used to configure a government agency’s AD environment. They can be configured and pushed out onto all workstations within an agency’s AD, meaning that any actions that are executed via a GPO can have widespread effects throughout a federal network.
GPOs are quite versatile, as their use cases can range from the simplest of configurations, such as setting a computer’s wallpaper background, to extremely complex scenarios, like adjusting security and access credentials to sensitive and classified areas of an AD environment. Other common GPO deployments include modifying security pieces for internet browsers, creating whitelists of trusted hosts, and executing scripts that push out software installations across a network.
Why do attackers target GPOs?
Because GPOs can have far-reaching impacts on a federal agency’s network, they have become highly prized targets for cyber hackers. Baker cited three main reasons why hackers have turned to GPOs to infiltrate federal networks. The first being that GPOs are ubiquitous. “Every Active Directory environment has Group Policy out of the box,” said Baker. “It’s everywhere. If you have a Windows domain, you have Group Policy. Whether or not you’re using it, it exists.”
Second is complexity. As GPOs become more sophisticated and increase in volume, an agency’s environment will also follow suit and become more complex. Baker explained that depending on the size of an organization, the number of deployed GPOs can range from the thousands to tens of thousands. As the domain environment becomes more complicated, it can become extremely difficult for IT teams to administer GPOs, leaving some vulnerabilities overlooked and left to fall through the security cracks. These exposures represent prime opportunities for hackers step in and cause devastating damage to the network.
Lastly, according to Baker, Group Policy is incredibly powerful. “You can basically employ any configuration or modification that you can think of to a machine, and it can be done via Group Policy,” he explained. “That includes adding users to groups, elevating privileges, executing remote code, installing software, modifying security events… It’s an incredibly powerful framework. So of course this is going to be a place that attackers are going to look.”
Hackers are known to carry out direct attacks where they attempt to modify a GPO, or create their own, in order to roam throughout a network. There are also indirect attacks where an agency’s GPOs are used in an attack chain. Baker explained that it is critical that agency IT teams carefully take stock of all their GPOs to monitor and detect any misconfigurations that could turn into vulnerabilities. “How much time as an administrator have you spent to actually understand what’s going on in all of these different pieces,” Baker rhetorically asked. “Blue teamers have to be right 100 percent of the time. Attackers just have to be right once.”
Securing GPOs and AD
Baker and Vinton highlighted the fact that Group Policy infrastructure is one of the most common attack paths that today’s hackers are using to deploy ransomware in AD environments. He explained that today’s ransomware software is essentially off-the-shelf and can leverage Group Policy misconfigurations to create new GPOs to wreak havoc in the network.
“One of the things we’re going to be recommending is a lot more auditing in Group Policy, because this is literally being built into the ransomware product that hackers are creating,” explained Vinton.
“[Hackers] will link to the domain, which is like the final dropping of the bomb and walking away,” Vinton said. “If you didn’t before, pay even closer attention to your Group Policy infrastructure, because it is commonly used by ransomware gangs.”
So how can federal agencies sort through and mitigate the risks that are associated with GPOs? Sifting through all of these attack paths in Active Directory can be extremely daunting, but there are solutions that federal agencies are employing to automate much of the laborious monitoring.
Solutions like Spector Ops’ Bloodhound Enterprise (BHE) can graphically map out every relationship between GPOs in Active Directory, and then produce an attack path map of the environment. Agencies have also been working on simplifying their Group Policy management. Through Quest’s GPOAdmin, federal government agencies can consolidate their GPOs to provide uniformity and stability within their AD environments, and support their overarching Group Police governance initiatives.
