GPP / cPassword Attacks
Last updated
Last updated
What Happened?
Group Policy Preferences (GPP) was a feature introduced in Windows Server 2008 to simplify the management of local accounts and services across domain-joined machines.
Admins could use GPP to:
Set passwords for local admin accounts.
Configure services and other tasks via Group Policies.
Here’s where things went wrong:
GPP allowed embedded credentials (e.g., local admin passwords) to be set within XML files.
These credentials were encrypted and stored as cPassword values in files like Groups.xml.
The Groups.xml file resides in SYSVOL – a shared folder on every domain controller that all authenticated users can access
The encryption should have kept these passwords safe, right? Well…
The OOPS Moment
Microsoft made a critical mistake:
The AES encryption key used to encrypt the cPassword was hardcoded.
Worse yet, they accidentally published this encryption key in official documentation.
Result? Anyone who gets access to the XML file can easily decrypt the cPassword.
