Ten security attacks you can easily avoid with Group Policy

Let's play pretend.

Pretend you've got a malicious insider on your network with a bone to pick. We'll call him Eddie. Perhaps Eddie is a consultant or even a salesperson. He might even come in during off hours to work his "security" shift. Regardless of what he does, he knows it is pretty simple to connect to someone's network and do just about anything he wants. Why? Default Windows settings, that's why.

Eddie doesn't know about the wonders of Group Policy Object (GPO) in Windows 2000 and later. However, thanks to his malicious mindset and quest for information, he knows that most Windows systems aren't hardened from common threats and realizes there are plenty of goodies in the form of 1s and 0s on your network for the taking.

Now this Eddie doesn't need a wireless LAN connection to get into your network. He can plug right into one of the dozens of live network drops throughout the building -- in empty cubicles and meeting rooms. As a fallback plan, Eddie knows he will likely succeed in attaching to an unsecured Wi-Fi access point just as easily if he needs to. He also knows that having physical access to your systems is invaluable.

Based on my experience, Eddie will do several things on your Windows systems -- most likely on 2000, probably even XP and quite possibly on Server 2003. (The sad thing is that all of these breaches could be prevented by simply tightening your Group Policy settings.)

Ten attacks you can prevent with Group Policy If Group Policy settings are not hardened, a malicious insider like Eddie could easily: 1. See the ID of the user who last logged on to servers and workstations, which is a great way for him to gather user names for his social engineering con games and password cracking attacks that eventually lead to compromised accounts. 2. Start guessing weak passwords and, well, need I say more about what can happen? 3. Copy the Active Directory database and potentially obtain all usernames and passwords. 4. Use a powerful password cracking utility such as Proactive Windows Security Explorer or LC 5 and crack passwords by simply attaching to remote servers or capturing data right off the wire. 5. Use the hacking tool PipeUpAdmin to escalate the privileges of the currently-logged-on account and make himself an administrator equivalent on the system. 6. Install software and "tweak" your Internet Explorer settings to allow future malicious content attacks. 7. Do anything he pleases with very little logged information tracking his moves (another default weakness). 8. Fill up your event logs with junk data -- keeping legitimate log entries from being made. 9. Shutdown your workstations and, worse yet, your servers. 10. Remove hard drives after shutdown and use his favorite disk editor to glean information from your Windows swap files. If Eddie is particularly industrious, there are likely hundreds of other attacks that he can carry out with relative ease behind your firewall. Time's the only limit.

How can you stop folks like Eddie? Group Policy is a good start. They are easy to implement at the local computer, domain and domain control levels. They can help keep out attackers consistently across all your Windows 2000 and above systems -- and certainly make your job (and life) much easier.

Nearly every network I test has at least a few Windows systems that either do not have Group Policy running or it's not running properly. Although managing Group Policy can be cumbersome at times, there's no good reason not to implement them on standalone and Active Directory-based systems. Get to know the Group Policy Editor (gpedit.msc) and associated tools such as the Group Policy Management Console (GPMC). You'll be amazed at what you can do to lock down your Windows systems.

Check out Roberta Bragg's checklists on hardening Windows systems for all the details you need. Just be careful when making changes -- especially at the domain or domain controller level. You can easily lock yourself out or otherwise break the systems if you don't fully understand what you're changing.

All pretending aside, the truth of the matter is, unless and until we take advantage of Windows Group Policy, Eddie and others like him will continue their dastardly ways against our Windows systems -- a war that's silly for us to lose.