Microsoft Windows domain-configured client Group Policy fails to authenticate servers

Discussion in 'other security issues & news' started by ronjor, Feb 14, 2015.

  1. ronjor

    ronjor Global Moderator

    Jul 21, 2003
  2. RockLobster

    RockLobster Registered Member

    Nov 8, 2007
    I know this is an old thread but I have been meaning to write on this subject for some time, people often say they believe there is a backdoor in Windows but don't know where it is.
    Group Policy Client should be a point of concern.
    GPC is used when your computer is connected to a Domain. The Domain controller can apply security templates to computers connected to it. These security templates are applied by GPC on each computer. The security template can change many security settings on the individual computers. The Domain controller is basically the Super Administrator on the Network over riding security settings applied by the individual users.
    This is not supposed to happen over the internet for obvious reasons.
    Since Windows Vista, Group Policy Client has been a Windows Service enabled by default.
    If you try to disable it in Windows Services you will find it is not possible to stop it or disable it.
    If you edit the registry to prevent GPC from starting, Windows will then fail to load user accounts, only the administrator account will be accessible.
    Further investigation of the GPC service reveals it is hosted by an instance of svchost which has opened a listening port on the internet.
    This same instance of svchost is also hosting other services that are essential to internet functionality. This means if you block that instance of svchost via a firewall you also prevent your computer from using the internet, period.
    Since Vista, Windows boasted service isolation which was supposed to mean even when a single instance of svchost is hosting multiple services you should be able to firewall the individual services separately.
    To do this you open a command line window and use it to apply a SID to the service. You then use this SID to block the service in Windows Firewall.
    If you try to apply an SID to GPC it will fail to apply, thereby preventing you from isolating that service and applying firewall rules to it.
    The upshod, GPC is impossible to turn off and impossible to block from accessing the internet without breaking other essential functionality.
    I read a while back that Microsoft had released a patch to require some kind of authentication between individual computers and a domain. It took them a very long time to release that patch.
    Could that be because this is the backdoor everyone suspected was there and they were loath to close it and how much did that patch actually secure the issue if at all.