Microsoft Security Bulletin (MS00-026): Frequently Asked Questions
What's this bulletin about?
Microsoft Security Bulletin MS00-026 announces the availability of a patch that eliminates a vulnerability affecting Microsoft® Windows® 2000 domain controllers. Microsoft is committed to protecting customers' information, and is providing the bulletin to inform customers of the vulnerability and what they can do about it.
What's the scope of the vulnerability?
This vulnerability would, under certain conditions, allow a malicious user to modify attributes of an object in the Active Directory that he should not be able to change.
The vulnerability is limited by the fact that the malicious user would need to already be authorized to modify another attribute of the same object. Only Windows 2000 domain controllers are affected by the vulnerability, and Windows 2000 auditing would enable the administrator to determine who made the change.
What causes the vulnerability?
This vulnerability results because, under certain conditions, it is possible for a user to modify an attribute that he should not be able to modify, by combining the operation with ones involving attributes that he does have permission to modify.
What is Active Directory?
A directory, in the broadest sense, is a comprehensive listing of objects. Windows 2000 provides a native directory service called Active Directory, that can be used to store information about virtually any network object - printers, file share locations, personal information, etc. Active Directory is a distributed, highly flexible directory service that can handle millions of objects with excellent performance.
What's an Active Directory object?
First, let's start with what an object class is. An object class is a conceptualized view of a type of data that someone wants to be able to store and search in the Active Directory. For instance, suppose a company needs to store information on employees. It might create an "employees" object class. An object class specifies the attribute types that all objects of that class share - so, in the case of employees, the attribute types might include the first name, last name, middle initial, home address and social security number.
An object is one instance of an object class. For example, if Bob Jones is a company employee, there would be one instance of the "employee" object class that represents him - that is, there would be a Bob Jones "employee" object in the Active Directory, with first name, last name, middle initial, home address and social security number attributes
What is the vulnerability in Active Directory?
Under certain conditions, it could be possible for a user who has permission to modify at least one attribute in an object to also modify others that he does not have permission to modify. For example, if Bob Jones has permission to modify the Last Name field in the Bob Jones employee object, this vulnerability could potentially allow him to also change an attribute in that object that he does not have permission to modify, such as his social security number.
Would this vulnerability give the malicious user the ability to change data for an entire object class, or only for specific objects?
The vulnerability would apply to specific objects. That is, the vulnerability could allow Bob Jones to change attributes in the Bob Jones object, but would not give him the ability to change attributes on other employee objects (unless, of course, he had specifically been given permission to modify attributes in each of the objects).
What kind of data would primarily be at risk from this vulnerability?
The key is whether normal users are allowed to change the value of at least one attribute on an object. If this is not the case, the data cannot be affected by this vulnerability. This restriction has an important bearing on the type of data likely to be at risk, because, typically, the more sensitive the data in an object class is, the less likely it is that normal users have permission to modify any the attributes in it.
Could this vulnerability be exploited accidentally?
Although is it possible for this vulnerability be exploited accidentally, there are a specific series of steps needed to exploit it that make it unlikely for this to happen.
Could this vulnerability be exploited remotely?
If an affected domain controller were exposed directly to the Internet, it would be possible to exploit this vulnerability remotely. In general, this is not a recommended practice.
However, keep in mind that even under these conditions, the user would need to be able to authenticate to the domain controller, and even then could only exploit the vulnerability if he had permission to modify at least one attribute on an object already. Thus, even if a Windows 2000 domain controller were exposed to the Internet, a user could only use this vulnerability to change Bob Jones' social security number if he could authenticate as Bob Jones (or someone else who had permission to modify an attribute of the Bob Jones object).
If someone did exploit this vulnerability, could I detect that it had been done?
Yes. Windows 2000 allows you to audit all Active Directory actions, and this vulnerability does not provide any way to bypass normal auditing. However, it is important to note that the auditing subsystem would record the action as having failed with an "access denied" error, so an administrator would need to investigate more than just successful operations.
What machines are primarily at risk from this vulnerability?
Windows 2000 domain controllers are the only machines affected by this vulnerability.
Will Windows 2000 Datacenter Version be affected by the vulnerability?
No. This vulnerability will be corrected prior to shipment.
What machines should I apply the patch to?
This patch should be applied to any Windows 2000 domain controllers. No other machines require this patch.
What does the patch do?
The patch ensures that a user can only modify an object attribute if he has permission to modify it.
How do I use the patch?
The Knowledge Base article contains detailed instructions for applying the patch to your site.
Where can I get the patch?
The download location for the patch is provided in the "Patch Availability" section of the security bulletin
How can I tell if I installed the patch correctly?
The KB article provides a manifest of the files in the patch package. The easiest way to verify that you've installed the patch correctly is to verify that these files are present on your computer, and have the same sizes and creation dates as shown in the KB article.
What is Microsoft doing about this issue?
- Microsoft has developed a patch that eliminates the vulnerability.
- Microsoft has provided a security bulletin and this FAQ to provide customers with a detailed understanding of the vulnerability and the patch.
- Microsoft has sent copies of the security bulletin to all subscribers to the Microsoft Product Security Notification Service, a free e-mail service that customers can use to stay up to date with Microsoft security bulletins.
- Microsoft has issued a Knowledge Base article explaining the vulnerability and patch in more detail.
Where can I learn more about best practices for security?
The Microsoft TechNet Security web site is the best to place to get information about Microsoft security.
How do I get technical support on this issue?
Microsoft Technical Support can provide assistance with this or any other product support issue.
THE INFORMATION PROVIDED IN THE MICROSOFT KNOWLEDGE BASE IS PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND. MICROSOFT DISCLAIMS ALL WARRANTIES, EITHER EXPRESS OR IMPLIED, INCLUDING THE WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. IN NO EVENT SHALL MICROSOFT CORPORATION OR ITS SUPPLIERS BE LIABLE FOR ANY DAMAGES WHATSOEVER INCLUDING DIRECT, INDIRECT, INCIDENTAL, CONSEQUENTIAL, LOSS OF BUSINESS PROFITS OR SPECIAL DAMAGES, EVEN IF MICROSOFT CORPORATION OR ITS SUPPLIERS HAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. SOME STATES DO NOT ALLOW THE EXCLUSION OR LIMITATION OF LIABILITY FOR CONSEQUENTIAL OR INCIDENTAL DAMAGES SO THE FOREGOING LIMITATION MAY NOT APPLY.