A Microsoft PC in the process of an update

Unenforced GPOs, the gap in your armor


What is a Group Policy? It’s the method by which many IT execs update and apply security and configuration settings to groups of machines throughout their network. On the surface, it’s considered a proactive and efficient way to secure and “coordinate” all network devices with a single stroke. But its flaws are often overlooked, leaving CISOs with blindspots in their defenses. GPOs not being applied is a problem.

What about the introduction to Azure active directory? Wouldn’t that eliminate the need for GPOs? The short answer is this: not yet. Tens of thousands of companies use Microsoft Active Directory,” according to Intermedia, “including about 90 percent of Fortune 1000 companies.” This means that GPOs are here to stay, at least in the near future.

The problem with GPOs not being applied correctly.

A non-local GPO, or group policy object, is how IT admins roll out policy settings to all their machines. They create a GPO to modify the settings of multiple machines, and often entire organizational units at the same time. A small startup may be able to get away without using GPOs, but as the environment grows, the thought is, it quickly becomes a necessity. Consider how long it would take to manually roll out policies to an environment with 5,000 endpoints. The logic is sound, but there’s a flaw in the technology. Just because an IT manager rolled out changes through GPO doesn’t mean those changes were actually applied to all devices correctly. 

GPOs not being applied correctly happens often. This leaves CISOs with significant blind spots and holes in their security process. These fatal flaws are made worse because you’re unaware of their existence. If you’re a knight tasked with protecting the castle, it’s like telling guards to close the castle doors and knowing a few are forgetful. 

As an example, let’s look at an IT manager who sets a new policy of minimum password length. In this scenario, she specifies a minimum password length of 10 characters. When using a GPO to effectuate change, it’s common to find many of the actual devices on the network are still set to 8 after a manual inspection is completed. This is a very time-consuming process, which is why most organizations are hesitant to tackle this problem.

When going through an audit, IT admins will provide a screenshot of their GPO’s. In this way they prove they are following the guidance of insurers. However, this “checking the box” activity doesn’t yield concrete results. These IT managers can’t be certain their changes are applied to all devices in the environment. 

Microsoft Intune Blind Spots

One primary use of Microsoft Intune is to manage GPOs, but it’s often a surprise to perceptive tech execs when they realize there’s no way to validate changes through Intune. Microsoft Intune is simply not designed to do more than push changes. This is one reason GPOs not being applied is a persistent problem.

Microsoft Intune has many of the same settings as on-premises GPOs. Group Policy analytics is a tool in Microsoft Intune that:

  • Analyzes your on-premises GPOs.
  • Shows the settings that are supported by cloud-based MDM providers, including Microsoft Intune.
  • Shows any deprecated settings or settings not available.
  • Migrate your imported GPOs to a settings catalog policy that can be deployed to your devices.

To summarize, Intune is more policy or a recommendation in this case. It can push out rules, but GPOs not being applied aren’t tracked. There’s no feedback. It’s also important to note that it doesn’t apply to servers, leaving potential vulnerabilities and risks unaddressed. For attackers, servers are low-hanging fruit and oftentimes are where critical information is stored. Many CISOs aren’t aware this hole exists in their network at this very second. And the CISOs that are aware of the problem don’t have a cost-effective or efficient solution.

The remote workforce has further complicated this scenario. This is why many experts, including us, believe GPOs need an enforcer.

Jacob Friedman Tech Scout at Three Tree Tech
Jacob Friedman

Jacob Friedman is a Strategic Account Director at 3 Tree Tech in Portland. He enjoys researching new disruptive tech across the full stack and introducing it to tech execs across the United States. Message him right here.

Related Posts

Lock sitting on a keyboard with dramatic lighting
How to decrypt data from ransomware

What is a decryption key? How is it used? And most importantly, what’s...

A hacker runs through the street carrying servers and computers. (AI generated image)
How to defend against double extortion

Imagine someone locking you out of your own house, digging through your sensitive...

Leave a Comment

Your email address will not be published. Required fields are marked *

Add Comment *

Name *

Email *