With Microsoft security bulletin MS14-025, GPMC and related tools are now patched to no longer allow the use of configuration items within Group Policy Prefs that would embed obfuscated passwords. The bulletin references KB256345 as workaround using the "legacy" method of configuring Windows Services using Group Policy. But as far as I know, that method only allows you to set the security ACLs on the service (and it's startup type)...not the account the service runs as. I'd love to be proven wrong though.
What other ways exist to configure a service to run as a particular domain service account using group policy? We can't just start touching all of these machines by hand to configure the service. Assume for the moment that we have no other Windows based configuration management tools to use and we're stuck with group policy and whatever other built-in tools are available like Powershell.
For the time being in our environment, we've simply blocked the patch in WSUS. But I'm looking for a long term solution. The passwords we're configuring in this manner are all low privilege accounts that don't matter if their passwords are compromised.
Is there perhaps a solution utilizing managed service accounts? Should we come up with some sort of powershell based solution that runs at startup? The GPOs we're using apply to groups of computers that don't all have the service installed. So ideally, this solution won't start spamming the event log with group policy errors
0 Answers