Microsoft published new advice on how to repair the damage from broken
Group Policy Objects from June’s patches that had some IT professionals up in arms.
Last month, Microsoft once again reminded the IT community about the importance of testing Windows operating system patches before deploying them to their entire fleet of user systems.
June’s patches for various Windows operating systems, including Windows Vista, Windows 10 and Server 2008, contained security updates that changed how user Group Policy Objects (GPO) work for many organizations. Update MS16-072 was issued to plug a vulnerability that could be used to mount a privilege escalation attack in the event of a man-in-the-middle attack against traffic flowing between target Windows systems and a domain controller.
“An attacker could then create a group policy to grant administrator rights to a standard user,” cautioned Microsoft in a June 14 security bulletin. “The security update addresses the vulnerability by enforcing Kerberos authentication for certain calls over LDAP [Lightweight Directory Access Protocol].”
For unsuspecting systems administrators, the patches threw a wrench into their finely tuned Windows environments. On Twitter, support forums and other online communities, IT professionals blasted Microsoft for releasing a patch that broke their GPOs, causing networked printers and application shortcuts to vanish for some users while off-limits network drives appeared for others, among several other complaints.
As its name implies, a Group Policy Object describes a collection of Windows settings that is intended to be applied to the PCs of a select group of users in Active Directory environments. Enterprises use GPOs for centralized and streamlined management of Windows PCs used by their various departments and sites.
Addressing the uproar caused by last month’s GPO-breaking patches, Sean Greenbaum, premier field engineer at Microsoft Secure Infrastructure, penned a lengthy blog post on how administrators can repair their GPOs.
Before the update was released, “domain joined computers used the user’s security context to make the connection and retrieve the policies,” explained Greenbaum. “After the update is applied, domain joined computers will now retrieve all policies using the computer security context.” This change prevents man-in-the-middle attacks by enforcing the use of the Kerberos secure authentication protocol, a feature available to computer accounts, he added.
Greenbaum’s post provides systems administrators with four options on repairing their GPOs, ranging from scripts to Advanced Group Policy Management tips. “If you are using a [third-party] tool to create and manage your GPOs, you’ll want to reach out to that vendor to see how their product is affected and if any change is needed to your policy creation and deploy process,” advised Greenbaum.
It’s not the first time Microsoft released an update that had an undesirable effect on group policies.
Earlier this year, Microsoft quietly disabled a Group Policy setting that allowed administrators to block access to the Windows Store app marketplace on PCs running Windows 10 Pro. The feature was used by organizations to discourage the use of unsanctioned software and help stem the spread of shadow IT in their environments.