Close
  • Latest News
  • Cybersecurity
  • Big Data and Analytics
  • Cloud
  • Mobile
  • Networking
  • Storage
  • Applications
  • IT Management
  • Small Business
  • Development
  • Database
  • Servers
  • Android
  • Apple
  • Innovation
  • Blogs
  • PC Hardware
  • Reviews
  • Search Engines
  • Virtualization
Read Down
Sign in
Close
Welcome!Log into your account
Forgot your password?
Read Down
Password recovery
Recover your password
Close
Search
Menu
Search
  • Latest News
  • Cybersecurity
  • Big Data and Analytics
  • Cloud
  • Mobile
  • Networking
  • Storage
  • Applications
  • IT Management
  • Small Business
  • Development
  • Database
  • Servers
  • Android
  • Apple
  • Innovation
  • Blogs
  • PC Hardware
  • Reviews
  • Search Engines
  • Virtualization
More
    Home Cybersecurity
    • Cybersecurity

    Microsoft Issues Guidance on Group Policy-Breaking Patches

    By
    Pedro Hernandez
    -
    July 7, 2016
    Share
    Facebook
    Twitter
    Linkedin
      Microsoft Group Policy Objects

      Last month, Microsoft once again reminded the IT community about the importance of testing Windows operating system patches before deploying them to their entire fleet of user systems.

      June’s patches for various Windows operating systems, including Windows Vista, Windows 10 and Server 2008, contained security updates that changed how user Group Policy Objects (GPO) work for many organizations. Update MS16-072 was issued to plug a vulnerability that could be used to mount a privilege escalation attack in the event of a man-in-the-middle attack against traffic flowing between target Windows systems and a domain controller.

      “An attacker could then create a group policy to grant administrator rights to a standard user,” cautioned Microsoft in a June 14 security bulletin. “The security update addresses the vulnerability by enforcing Kerberos authentication for certain calls over LDAP [Lightweight Directory Access Protocol].”

      For unsuspecting systems administrators, the patches threw a wrench into their finely tuned Windows environments. On Twitter, support forums and other online communities, IT professionals blasted Microsoft for releasing a patch that broke their GPOs, causing networked printers and application shortcuts to vanish for some users while off-limits network drives appeared for others, among several other complaints.

      As its name implies, a Group Policy Object describes a collection of Windows settings that is intended to be applied to the PCs of a select group of users in Active Directory environments. Enterprises use GPOs for centralized and streamlined management of Windows PCs used by their various departments and sites.

      Addressing the uproar caused by last month’s GPO-breaking patches, Sean Greenbaum, premier field engineer at Microsoft Secure Infrastructure, penned a lengthy blog post on how administrators can repair their GPOs.

      Before the update was released, “domain joined computers used the user’s security context to make the connection and retrieve the policies,” explained Greenbaum. “After the update is applied, domain joined computers will now retrieve all policies using the computer security context.” This change prevents man-in-the-middle attacks by enforcing the use of the Kerberos secure authentication protocol, a feature available to computer accounts, he added.

      Greenbaum’s post provides systems administrators with four options on repairing their GPOs, ranging from scripts to Advanced Group Policy Management tips. “If you are using a [third-party] tool to create and manage your GPOs, you’ll want to reach out to that vendor to see how their product is affected and if any change is needed to your policy creation and deploy process,” advised Greenbaum.

      It’s not the first time Microsoft released an update that had an undesirable effect on group policies.

      Earlier this year, Microsoft quietly disabled a Group Policy setting that allowed administrators to block access to the Windows Store app marketplace on PCs running Windows 10 Pro. The feature was used by organizations to discourage the use of unsanctioned software and help stem the spread of shadow IT in their environments.

      Avatar
      Pedro Hernandez
      Pedro Hernandez is a contributor to eWEEK and the IT Business Edge Network, the network for technology professionals. Previously, he served as a managing editor for the Internet.com network of IT-related websites and as the Green IT curator for GigaOM Pro.

      MOST POPULAR ARTICLES

      Android

      Samsung Galaxy XCover Pro: Durability for Tough...

      Chris Preimesberger - December 5, 2020 0
      Have you ever dropped your phone, winced and felt the pain as it hit the sidewalk? Either the screen splintered like a windshield being...
      Read more
      Cloud

      Why Data Security Will Face Even Harsher...

      Chris Preimesberger - December 1, 2020 0
      Who would know more about details of the hacking process than an actual former career hacker? And who wants to understand all they can...
      Read more
      Cybersecurity

      How Veritas Is Shining a Light Into...

      eWEEK EDITORS - September 25, 2020 0
      Protecting data has always been one of the most important tasks in all of IT, yet as more companies become data companies at the...
      Read more
      Big Data and Analytics

      How NVIDIA A100 Station Brings Data Center...

      Zeus Kerravala - November 18, 2020 0
      There’s little debate that graphics processor unit manufacturer NVIDIA is the de facto standard when it comes to providing silicon to power machine learning...
      Read more
      Apple

      Why iPhone 12 Pro Makes Sense for...

      Wayne Rash - November 26, 2020 0
      If you’ve been watching the Apple commercials for the past three weeks, you already know what the company thinks will happen if you buy...
      Read more
      eWeek


      Contact Us | About | Sitemap

      Facebook
      Linkedin
      RSS
      Twitter
      Youtube

      Property of TechnologyAdvice.
      Terms of Service | Privacy Notice | Advertise | California - Do Not Sell My Information

      © 2021 TechnologyAdvice. All Rights Reserved

      Advertiser Disclosure: Some of the products that appear on this site are from companies from which TechnologyAdvice receives compensation. This compensation may impact how and where products appear on this site including, for example, the order in which they appear. TechnologyAdvice does not include all companies or all types of products available in the marketplace.

      ×