Guillaume Ross

Are you really protected against Group Policy Bypass and Remote Code Execution? MS15-011 & MS15-014

Blog Post created by Guillaume Ross Employee on Mar 12, 2015

In February, Microsoft published two hotfixes to address issues with Group Policies.



Together, these patches address the following issues:



As we are now dealing with March updates, this is a good time to look at how protected you are against these issues.


What are these vulnerabilities?


These issues allow someone to perform a MITM (Man-in-the-middle / Suspicious-person-at-the-coffee-shop-in-the-middle) attack and send custom GPOs back to your Windows system.


The attacker spoofs the IP address of one of your corporate file servers, which could be a domain controller hosting SYSVOL or NETLOGON.


As GPOs are processed by the system and include important configurations such as permissions, user right assignments, user accounts, groups, and even logon script, it is easy for an attacker to leverage this access and convert it into code execution attacks.


The attacker could simply replace a logon script downloaded by the process with his own script.


These vulnerabilities apply to all versions of Windows, but systems that are potential MITM targets face the highest risk. Since the SMB protocol does not enforce encryption by default, this allows attackers to downgrade the connectivity. The two patches work together by hardening UNC access, but also by allowing system administrators to configure UNC hardening precisely.


For more technical details on the vulnerabilities, see MS15-011 & MS15-014: Hardening Group Policy - Security Research & Defense - Site Home - TechNet Blogs.


I deployed the updates, so I'm fine?


Probably not! While most updates for Windows only require installation and, if needed, a reboot, MS15-011 introduces new policy options that actually require configuration

Microsoft has a detailed page on the subject: MS15-011: Vulnerability in Group Policy could allow remote code execution: February 10, 2015.


UNC Hardened access should be configured at least for SYSVOL and NETLOGON. Since the configuration settings are made to be ignored by systems who do not have the patch, you can start testing and even configure these settings on systems that will not be able to use them. Microsoft has a great FAQ about the configuration of the new settings: Guidance on Deployment of MS15-011 and MS15-014 - Ask Premier Field Engineering (PFE) Platforms - Site Home - TechNet….


This is also a great time to review hardening on your domain controllers, file servers and workstations. Specifically, ensure that SMB configuration settings are configured both on clients and servers to Digitally Sign Communications (Always). If legacy or other incompatible systems prevent you from doing this on all systems, keep exceptions as precise as possible.


I've pushed the patches and configured UNC hardened access, what should I do now?


We're already in March aren't we? Patch Tuesday, March 2015


Hopefully, security updates that require a lot of configuration changes will remain rare from Microsoft. In the meantime, great hardening practices ensure that most settings will already be correct if a few changes are needed, and being able to easily configure all of your systems rapidly will be a great asset the next time this is required.


Happy March patch Tuesday!