Microsoft Security Bulletin (MS00-099) - Microsoft has released a patch that eliminates a security vulnerability affecting Windows 2000 domain controllers. If the Configure Your Server tool was used when the machine was originally promoted to domain controller, the Directory Service Restore Mode would be left blank, allowing malicious users to log onto the machine in Directory Service Restore Mode. Once logged on, the malicious user could alter system components or install bogus ones that would execute when a bona fide administrator subsequently logged onto the machine. Microsoft FAQ on this issue available here.
097a2291b5054d4ff9e849dfa437e881e60c5ee292001b490388bc935ad40744 Microsoft Security Bulletin (MS00-099)
Patch Available for Directory Service Restore Mode Password
Vulnerability
Originally posted: December 20, 2000
Summary
Microsoft has released a patch that eliminates a security
vulnerability affecting Microsoft® Windows® 2000 domain controllers.
The vulnerability could allow a malicious user with physical access to
a domain controller to install malicious software on it.
Frequently asked questions regarding this vulnerability and the patch
can be found at
http://www.microsoft.com/technet/security/bulletin/fq00-099.asp
Issue
Windows 2000 provides several special operating modes that can be
chosen at boot time in order to allow the administrator to
troubleshoot and restore a machine with a damaged configuration. One
of these, Directory Service Restore Mode, is designed to allow the
Active Directory to be repaired and restored on a domain controller. A
password is required in order to operate the system in this mode.
However, if the Configure Your Server tool was used when the machine
was originally promoted to domain controller, that password would be
blank. This could enable a malicious user to log onto the machine in
Directory Service Restore Mode. Once logged on, the malicious user
could alter system components or install bogus ones that would execute
when a bona fide administrator subsequently logged onto the machine.
There are three significant mitigating factors associated with this
vulnerability:
* The malicious user would need physical access to the machine in
order to log into it in Directory Service Restore Mode. However,
security best practices strongly recommend against ever giving
unprivileged users physical access to critical servers like domain
controllers. Customers who have followed this guidance would not
be affected by the vulnerability.
* The vulnerability only occurs if the Configure Your Server tool
was used to promote the server to domain controller. If the
DCPROMO tool was used, the machine could not be affected by the
vulnerability.
* The Configure Your Server tool can only be run on the first domain
controller in a forest. As a result, no other servers could be
affected by the vulnerability.
A second troubleshooting mode also is affected. When the Directory
Service Restore Mode password is set, the password for the Recovery
Console is automatically synchronized with it. As a result, machines
affected by this vulnerability would have a blank password for both
the Directory Service Restore Mode and the Recovery Console. However,
the scope of the vulnerability is unchanged by the involvement of the
Recovery Console, for better or worse.
Affected Software Versions
* Microsoft Windows 2000 Server
* Microsoft Windows 2000 Advanced Server
Note: Windows 2000 workstations are unaffected by this vulnerability.
Patch Availability
* The patch has been temporarily removed, but will be re-posted
shortly
Note: On Windows 2000 Server and Advanced Server systems, this patch
can be installed atop either the Gold version or Service Pack 1. It
will be included in Windows Server and Advanced Server, Service Pack
2.
Note Additional security patches are available at the Microsoft
Download Center
More Information
Please see the following references for more information related to
this issue.
* Frequently Asked Questions: Microsoft Security Bulletin MS00-099,
http://www.microsoft.com/technet/security/bulletin/fq00-099.asp
* Microsoft Knowledge Base article Q271641 discusses this issue and
will be available soon.
* Microsoft TechNet Security web site,
http://www.microsoft.com/technet/security/default.asp
Obtaining Support on this Issue
This is a fully supported patch. Information on contacting Microsoft
Product Support Services is available at
http://support.microsoft.com/support/contact/default.asp.
Acknowledgments
Microsoft thanks John Sherriff of the Wool Research Organization of
New Zealand for reporting this issue to us and working with us to
protect customers.
Revisions
* December 20, 2000: Bulletin Created.
THE INFORMATION PROVIDED IN THE MICROSOFT KNOWLEDGE BASE IS PROVIDED
"AS IS" WITHOUT WARRANTY OF ANY KIND. MICROSOFT DISCLAIMS ALL
WARRANTIES, EITHER EXPRESS OR IMPLIED, INCLUDING THE WARRANTIES OF
MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. IN NO EVENT
SHALL MICROSOFT CORPORATION OR ITS SUPPLIERS BE LIABLE FOR ANY DAMAGES
WHATSOEVER INCLUDING DIRECT, INDIRECT, INCIDENTAL, CONSEQUENTIAL, LOSS
OF BUSINESS PROFITS OR SPECIAL DAMAGES, EVEN IF MICROSOFT CORPORATION
OR ITS SUPPLIERS HAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES.
SOME STATES DO NOT ALLOW THE EXCLUSION OR LIMITATION OF LIABILITY FOR
CONSEQUENTIAL OR INCIDENTAL DAMAGES SO THE FOREGOING LIMITATION MAY
NOT APPLY.
Last updated December 12, 2000
© 2000 Microsoft Corporation. All rights reserved. Terms of use.
© 2022 Packet Storm. All rights reserved.
%7Cutmcsr%3D(direct)%7Cutmcmd%3D(none)){kind=small}
Follow us on Twitter
Follow us on Facebook
Subscribe to an RSS Feed