In this article:  

• Objective

• Prerequisites

• Steps to follow

• Validation and confirmation

• Tips

• Related topics and articles

Objective  

This article explains how to use ADAudit Plus to detect the insecure storage of passwords in Group Policy Objects (GPOs), understand the immediate remediation steps, and implement long-term prevention strategies.

Prerequisites  

• You must have administrator access to the ADAudit Plus web console.

• The ADAudit Plus service account must have permissions to read GPO files from the SYSVOL share on domain controllers.

Steps to follow  

The process for handling Plaintext Passwords in GPOs involves detection, immediate remediation, and prevention.

Part 1: Detecting the threat  

1. Navigate to the Active Directory Tab > Attack Surface Analyzer > Threats > Plaintext Password in GPO.

2. This report shows any GPOs that contain passwords stored insecurely within Group Policy Preference files.

Part 2: Understanding the detection criteria  

ADAudit Plus detects this vulnerability based on the following:

• Description: A password stored in a GPO XML file is identified. Although encrypted with AES, the cryptographic keys are publicly known, allowing attackers to easily decrypt the password. This is a common misconfiguration found in older GPOs, often used for tasks like creating local user accounts.

• Detection Logic:

• A scheduled task runs every 12 hours to scan GPO XML files.

• The scan looks for non-empty cppassword attributes within these files.

Part 3: Immediate remediation  

If a GPO with a stored password is detected, you must act immediately to remove the vulnerability.

1. Identify the Insecure GPO: The ADAudit Plus report will identify the specific GPO containing the cppassword attribute.

2. Locate and Remove the Setting:

• Open the Group Policy Management Console (GPMC).

• Find and edit the identified GPO.

• Navigate to the Group Policy Preference setting where the password is being set (e.g., Computer Configuration > Preferences > Control Panel Settings > Local Users and Groups).

• Delete the specific preference item that is setting the password.

3. Implement a Secure Alternative: The original goal of the GPO (e.g., managing local admin passwords) must be achieved securely. The recommended solution is to use the Local Administrator Password Solution (LAPS) from Microsoft.

4. Investigate for Compromise: Assume that the password found in the GPO has been compromised. If this password has been reused for any other accounts (service accounts, domain accounts), reset those passwords immediately.

Validation and confirmation  

• After removing the insecure setting from the GPO, force a Group Policy update on affected machines.

• On the next scheduled run (within 12 hours), the Plaintext Password in GPO report in ADAudit Plus should no longer show the remediated GPO.

• Verify that the new, secure solution (like LAPS) is functioning correctly.

Tips  

The following best practices can help prevent the insecure storage of credentials in GPOs.

Do Not Use Group Policy Preferences to Set Passwords  

• This practice was deprecated by Microsoft (MS14-025) because of this vulnerability. Never store any type of password in Group Policy Preferences.

Implement LAPS  

• Deploy Microsoft LAPS to securely manage local administrator passwords on your workstations and servers. LAPS automatically sets a unique, complex, and regularly rotated password for the local admin account on each machine and stores it securely in Active Directory.

Audit GPOs Regularly  

• Periodically review all GPOs, especially older ones, to ensure they do not contain insecure settings.

Eliminate Password Reuse  

• Enforce a policy of not reusing passwords across different systems or for different accounts. This limits the damage if one password is compromised.

Related topics and articles  

• How to configure Attack Surface Analyzer in ADAudit Plus