Skip to content

Group Policy Preference Password Elevation of Privilege Vulnerability

Table of Contents:

Option 1: Patch the Host

Microsoft released a patch, KB2928120, addressing this vulnerability. To install it, download the patch from the MS14-025 Security Bulletin for the corresponding host operating system. ---

Option 2: Remove Old or Unused Policies

Even if the correct patch has been applied, old policies that contained passwords will still need to be removed. To remove the policies identified in the weakness:

  1. In Group Policy Management console, open the policy that contains CPassword data.
  2. Change the action to Delete or Disable, as applicable to the preference. Delete or Disable
  3. Click OK to save your changes.
  4. Wait for one or two Group Policy refresh cycles to allow changes to propagate to clients.
  5. After changes are applied on all clients, delete the preference. Delete the preference
  6. Repeat steps 1 through 5 as needed to clean your whole environment. When the detection script returns zero results, you are finished.