Group Policy with Alan Burchill

Another session with Alan Burchill. This one is keeping your company secure with group policy.

CPasaword – use PowerShell to scan and find the gp for any passwords being set by GPP.

Microsoft recommends you do not chang local admin password with GPP. As the password is encrypted, but Microsoft must, by law, make the decryption key public available.

He showed us ways to encrypt local passwords using PowerShell and WinRM. Then decrypting the encrypted password.

Pass the Hash – using the hash value of the password to access data based on permissions. Once on the network you can then gain more hashed password (lateral movement). Even worse if all the local admin accounts have the same local admin password.

Lock down the Domain and Enterprise Admin groups using Deny logon locally and Deny logon as a batch file. Devalue these accounts. Create Desktop Admin and Server Admin groups and apply by GPP.

Two new local accounts are Local Account and Local Account with administrative access. These are part of Server 2012 R2 and can be added to Windows 7 via a KB article.

Minor technical glitches during the session, dont worry about it Alan.

image

Advertisements