Vulnerabilities in Group Policy could allow security policy bypassing (MS15-011, MS15-014, CVE-2015-0008, CVE-2015-0009)
Microsoft tarafından yayınlanan Şubat 2015 Güvenlik bülteninde önemli güvenlik yamaları bulunmaktadır.Group Policy üzerinden Domain Controller sunucularında kod çalıştırılması gibi ciddi açıklar tespit edilmiş.En kısa zamanda sorumlusu olduğunuz sunuculara yüklemenizde fayda var.
Multiple issues exist with Group Policy that can be used to cause undesired behavior:
First, an issue has been identified in the way how the Security Configuration Engine picks up Group Policy.
By default, the Security Configuration Engine on domain-joined devices automatically downloads security settings in updated Group Policy Objects (GPOs) from SYSVOL, which the scecli.dll part of the Security Configuration Engine discovers and accesses using the Universal Naming Convention (UNC) paths.
An attacker may spoof, tamper with, or redirect communications between the UNC provider and devices, and subsequently may be able to cause Group Policy to execute his or her programs or scripts. A common attack vector for this would be for an attacker to introduce a rogue Wi-Fi access point connected to the corporate wired network, optionally configured with the same SSID as the corporate Wi-Fi.
A second vulnerability exists whereby Group Policy could fail to retrieve valid security policy settings, because one or more Security Configuration Engine configuration files (gpttmpl.inf per Group Policy Object, configured with security settings) are corrupted or otherwise unreadable when they are interpreted by the scesrv.dll part of the Security Configuration Engine.
An attacker can achieve this by modifying the responses sent by Active Directory Domain Controllers with a Man-in-the-Middle (MitM) approach. The behavior of the Group Policy Security Configuration Engine, then, is to apply default, potentially less secure, group policy settings, instead of the domain-configured settings.
Microsoft introduces UNC Hardened Access to address this vulnerability. This is a new Windows feature, that provides mitigations against Man-in-the-Middle attacks for any UNC paths that host executable programs, script files or files that control security policies and improves the protection and handling of data when Windows-based devices access UNC paths.
UNC Hardened Access is available as KB3000483. It is accompanied by KB30004375, which is installed transparently with KB3000483. It is rated as a critical update for all supported versions of Windows and Windows Server. An update is currently not available for Windows Server 2003. This lack of support means there is no way to ensure mutual authentication and Server Message Block (SMB) Signing are actually enforced when Windows Server 2003-based Domain Controllers are in use. (However, default settings on Windows Server 2003-based Domain Controllers are to require SMB Signing.) Additionally, domain-joined Windows Server 2003-installations can not be configured with UNC Hardened Access.
An update is available from Microsoft that address this vulnerability, by correcting how Group Policy settings are applied when a Group Policy Security Configuration Engine policy file is corrupted or otherwise unreadable.
This update is available as KB3004361 and is rated as an important update for all supported versions of Windows and Windows Server. An update is also available for Windows Server 2003.
Call to Action
To introduce UNC Hardened Access and protect against UNC-based Man-in-the-Middle (MitM) attacks, install KB3000483. Then, in a Group Policy scoped for devices with the update, configure UNC Hardened Access in Computer Configuration,Administrative Templates, Network, Network Provider. Enable the Hardened UNC Path setting.
RequireMutualAuthentication enforces Kerberos-based mutual authentication.RequireIntegrity and RequirePrivacy turn on SMB Signing.
Test both the update and the configuration in a test environment, to assess the risk and possible impact on your production environment and then, roll out this update to all devices within scope. After that, configure the additional Group Policy Settings.
Microsoft has not identified any mitigating factors or workarounds, so I urge you to install KB3004361 in a test environment as soon as possible, assess the risk and possible impact on your production environment and then, roll out this update to all devices within the Active Directory environment.