Tag Archives: Group Policy

Preventing Petya ransomware with Group Policy

This post and this twitter thread describe a mechanism to prevent the latest ransomware cyber attack from running. It involves creating 1 (or 3) files with a specific name(s) and with the Read-only attribute set. Although the instructions on the first post describe copying and renaming notepad.exe, any file, even an empty file, with the correct names and the Read-only attribute will suffice, if I read the twitter thread correctly.
There are numerous ways to accomplish this in a large organization, including an SCCM package that either deploys some files, or that runs a script to create the files. However, I decided to use Group Policy File Preferences to copy a small text file to the three filenames described, including setting the Read-only attribute.

Using Group Policy File Preferences to create the files that will block the Petya (NotPetya) Ransomware.

This should be executed on the affected computers at their next GP refresh, which might be sooner than a reboot for a start-up script.

GUID Chase – Group Policy troubleshooting

It started with an alert from System Center Operations Manager about a failed scheduled task. Of course, the alert references a task name that looks like a SID. Running schtasks /query show a few jobs with a status that warranted inspection. Looking at the Microsoft-Windows-TaskScheduler/Operational log I found that the task “\Microsoft\Windows\CertificateServicesClient\UserTask” is the one the failed and triggered the alert.
I also noted that there were some Group Policy processing errors occurring at about the same time as the task failure, including a problem applying the Group Policy Scheduled Tasks settings. And the failing task starts at user login.
Next, I ran gpresult /h to create a report of the GPOs and settings that applied, and any errors that were generated. The report confirmed that there were failures in applying the Group Policy Files settings and the Group Policy Scheduled Tasks settings.
Some web searching turned up this thread, among others, which pointed me to the Group Policy History files in C:\Users\All Users\Microsoft\Group Policy\History. This directory contained four subdirectories named with the GUIDs for the corresponding GPOs. I was able to find three of the four GPOs by inspecting the details in the GPMC, but I couldn’t find the fourth.
I decided to search more programmatically, and started with an LDAP search with ADFind:

adfind -f "&(objectClass=groupPolicyContainer)(Name={DC257675-89C1-5AA6-5F65-B5D5CFC35E17})"
0 Objects returned

Then, just to be sure, I used the PowerShell GroupPolicy module:

PS Z:\> import-module GroupPolicy
PS Z:\> get-gpo -guid "{DC257675-89C1-5AA6-5F65-B5D5CFC35E17}"
Get-GPO : A GPO with ID {DC257675-89C1-5AA6-5F65-B5D5CFC35E17} was not found in the campus.ad.uvm.edu domain.

So I removed the subdirectory with that name from the GP History directory, and retried gpupdate /force. This time, it completed successfully.

Wednesday – April 29

Some Microsoft updates released yesterday, including Office 2007 SP2. TSGateway server Web and Terminal services didn’t restart gracefully. Investigating, I find some weird behavior from our Networker backup software. However, installing two outstanding updates and rebooting resolved the issue TS issue. Now I have two Networker issues to follow-up on: restoring .Net config files, and NDMP file restores missing ACLS.

Client with Dell Latitude d630. LiteTouch deployment created BDEDrive at S:, which conflicts with our standard drive mappings. Tried booting to Vista DVD, deleting the volume and then repairing, but that recreated the same system volume. Found a KB article that described renaming a registry key to change the drive letter that the system drive was using. Moved it to Z: and things started working normally.

Began deployment of new DC; drive cloning is s-l-o-w, and so is drive formatting.

Went on a wellness walk on Nation Walk @ Lunch Day; had a nice conversation with a friend from Health Promotion Research.

Checked-in on MSPSS issue; support engineer didn’t receive my email and data sent yesterday. Re-sent.

Some discussion of Vista software compatibility.

Added another laptop to test Wireless group policy.

Developed initial server admin group policy.

Worklog — Town Meeting Day

Need to expand storage on WinDB; Kent is working on the FC storage.

Documentation regarding printer installation. Added a How-To wiki library to the AD Sharepoint Site, and added instruction for installing a printer by Finding a printer in the directory.

Disks on WinDB are successfully expanded.

Expanded the printer documentation.

Quite a bit of work confirming the functionality of NTFRS for SYSVOL: correlated GP GUIDs and Names; looked into a couple of orphaned policy folders; looked through deletedObjects container. Couldn’t find any policies pointing to those orphaned GUIDs.

Fixed Samsung printer duplex issue.

Registered for Mastering the Maze. I note that Greg is doing a couple of presentations, and Carol, Ben, and Henrietta are also covering technology topics.

Began review of Certificate Services migration process: