manunkind
December 20, 2000, 02:43 pm
Microsoft Security Bulletin (MS00-099)
Patch Available for “Directory Service Restore Mode Password” Vulnerability
Originally posted: December 20, 2000
Summary
Microsoft has released a patch that eliminates a security vulnerability affecting Microsoft® Windows® 2000 domain controllers. The vulnerability could allow a malicious user with physical access to a domain controller to install malicious software on it.
Frequently asked questions regarding this vulnerability and the patch can be found at http://www.microsoft.com/technet/security/bulletin/fq00-099.asp
Issue
Windows 2000 provides several special operating modes that can be chosen at boot time in order to allow the administrator to troubleshoot and restore a machine with a damaged configuration. One of these, Directory Service Restore Mode, is designed to allow the Active Directory to be repaired and restored on a domain controller. A password is required in order to operate the system in this mode. However, if the “Configure Your Server” tool was used when the machine was originally promoted to domain controller, that password would be blank. This could enable a malicious user to log onto the machine in Directory Service Restore Mode. Once logged on, the malicious user could alter system components or install bogus ones that would execute when a bona fide administrator subsequently logged onto the machine.
There are three significant mitigating factors associated with this vulnerability:
The malicious user would need physical access to the machine in order to log into it in Directory Service Restore Mode. However, security best practices strongly recommend against ever giving unprivileged users physical access to critical servers like domain controllers. Customers who have followed this guidance would not be affected by the vulnerability.
The vulnerability only occurs if the “Configure Your Server” tool was used to promote the server to domain controller. If the DCPROMO tool was used, the machine could not be affected by the vulnerability.
The “Configure Your Server” tool can only be run on the first domain controller in a forest. As a result, no other servers could be affected by the vulnerability.
A second troubleshooting mode also is affected. When the Directory Service Restore Mode password is set, the password for the Recovery Console is automatically synchronized with it. As a result, machines affected by this vulnerability would have a blank password for both the Directory Service Restore Mode and the Recovery Console. However, the scope of the vulnerability is unchanged by the involvement of the Recovery Console, for better or worse.
Affected Software Versions:
Microsoft Windows 2000 Server
Microsoft Windows 2000 Advanced Server
Note: Windows 2000 workstations are unaffected by this vulnerability.
Patch Availability http://www.microsoft.com/Downloads/Release.asp?ReleaseID=26483
Note: On Windows 2000 Server and Advanced Server systems, this patch can be installed atop either the Gold version or Service Pack 1. It will be included in Windows Server and Advanced Server, Service Pack 2.
Note Additional security patches are available at the Microsoft Download Center
------------------
Moderator at Help from Techs Support Forums (http://www.helpfromtechs.com)
Patch Available for “Directory Service Restore Mode Password” Vulnerability
Originally posted: December 20, 2000
Summary
Microsoft has released a patch that eliminates a security vulnerability affecting Microsoft® Windows® 2000 domain controllers. The vulnerability could allow a malicious user with physical access to a domain controller to install malicious software on it.
Frequently asked questions regarding this vulnerability and the patch can be found at http://www.microsoft.com/technet/security/bulletin/fq00-099.asp
Issue
Windows 2000 provides several special operating modes that can be chosen at boot time in order to allow the administrator to troubleshoot and restore a machine with a damaged configuration. One of these, Directory Service Restore Mode, is designed to allow the Active Directory to be repaired and restored on a domain controller. A password is required in order to operate the system in this mode. However, if the “Configure Your Server” tool was used when the machine was originally promoted to domain controller, that password would be blank. This could enable a malicious user to log onto the machine in Directory Service Restore Mode. Once logged on, the malicious user could alter system components or install bogus ones that would execute when a bona fide administrator subsequently logged onto the machine.
There are three significant mitigating factors associated with this vulnerability:
The malicious user would need physical access to the machine in order to log into it in Directory Service Restore Mode. However, security best practices strongly recommend against ever giving unprivileged users physical access to critical servers like domain controllers. Customers who have followed this guidance would not be affected by the vulnerability.
The vulnerability only occurs if the “Configure Your Server” tool was used to promote the server to domain controller. If the DCPROMO tool was used, the machine could not be affected by the vulnerability.
The “Configure Your Server” tool can only be run on the first domain controller in a forest. As a result, no other servers could be affected by the vulnerability.
A second troubleshooting mode also is affected. When the Directory Service Restore Mode password is set, the password for the Recovery Console is automatically synchronized with it. As a result, machines affected by this vulnerability would have a blank password for both the Directory Service Restore Mode and the Recovery Console. However, the scope of the vulnerability is unchanged by the involvement of the Recovery Console, for better or worse.
Affected Software Versions:
Microsoft Windows 2000 Server
Microsoft Windows 2000 Advanced Server
Note: Windows 2000 workstations are unaffected by this vulnerability.
Patch Availability http://www.microsoft.com/Downloads/Release.asp?ReleaseID=26483
Note: On Windows 2000 Server and Advanced Server systems, this patch can be installed atop either the Gold version or Service Pack 1. It will be included in Windows Server and Advanced Server, Service Pack 2.
Note Additional security patches are available at the Microsoft Download Center
------------------
Moderator at Help from Techs Support Forums (http://www.helpfromtechs.com)