What's this bulletin about?
Microsoft Security Bulletin MS00-096 announces the availability of a Security Configuration template that eliminates a security vulnerability affecting Microsoft® Windows® 2000. Microsoft is committed to protecting customers' information, and is providing the bulletin to inform customers of the vulnerability and what they can do about it.
What's the scope of the vulnerability?
This vulnerability is, for all practical purposes, the same as the "SNMP Parameters" vulnerability discussed in Microsoft Security Bulletin MS00-095. Like that vulnerability, this one could enable a malicious user to manage or configure devices on the network. The specific privileges she could gain would vary widely from network to network, and would depend on the extent to which Simple Network Management Protocol (SNMP) is used on it. In the worst case, though, the vulnerability could enable her to misconfigure routers and firewalls, change content on web servers and database servers, stop or start services on a machine, and so forth.
SNMP is, by design, not a secure protocol. Even in the absence of inappropriate registry permissions, a malicious user could still monitor the network and obtain all the information needed to manage SNMP devices on the network. SNMP is not installed on Windows 2000 systems by default.
If this vulnerability is the same as one of those discussed in MS00-095, why have you issued a separate bulletin?
Although there is much common ground between this bulletin and MS00-095, we felt that it would be more clear if we wrote separate bulletins - MS00-095 discussing Windows NT® 4.0 vulnerabilities and this bulletin discussing Windows 2000. Here's why we concluded that treating them in the same bulletin would have been confusing:
- Of the three vulnerabilities discussed in MS00-095, only one - the "SNMP Parameters" vulnerability - also affects Windows 2000.
- In addition to correcting the three vulnerabilities discussed in MS00-095, the tool provided there also corrects a number of other incorrect registry permissions that were discussed in previous bulletins. However, none of those other keys require modification on Windows 2000 systems.
- The fix provided in MS00-095 for Windows NT 4.0 systems is a command-line tool, where the fix for Windows 2000 systems is a template for the Security Configuration and Analysis Tool. As a result, the instructions for using the respective fixes are completely different.
What causes the vulnerability?
The cause of the vulnerability is exactly the same as discussed in MS00-095. The permissions on the registry key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SNMP\Parameters are incorrect, and could allow an unprivileged user to read or change them.
What would this allow a malicious user to do?
The effect of the vulnerability is likewise exactly the same as discussed in MS00-095. A malicious user could use this vulnerability to learn information about already-existing communities that her machine was a member of, and pose as a legitimate SNMP manager in order to monitor or reconfigure devices in the community.
Is there anything different between this vulnerability and its Windows NT 4.0 counterpart?
Yes. Under default conditions, this vulnerability could not be exploited remotely on Windows 2000 systems. We noted in MS00-095 that Windows NT 4.0 workstations' default settings allow remote access to the registry. However, all Windows 2000 systems - including workstations - disallow remote access to the registry by default.
Is there anything different about how the fix discussed below works, as compared to the Windows NT 4.0 fix?
Yes. If you apply the template, and then install SNMP later, the right permissions will be retained on the registry keys. In contrast, the Windows NT 4.0 discussed in MS00-095 would need to be re-applied if the administrator installed SNMP.
What does the patch do?
The patch contains a template for use in the Security Configuration and Analysis tool, that resets the registry permissions to the appropriate values.
Where can I get the patch?
The download location for the patch is provided in the "Patch Availability" section of the security bulletin .
What permissions are set by the template?
The template sets the following permissions on the following keys and their subkeys:
| Hive | Key | Permission |
|---|
HKEY_LOCAL_MACHINE\SYSTEM\
CurrentControlSet | Services\SNMP\Parameters\
PermittedManagers | Administrators, System,
Creator Owner: Full |
HKEY_LOCAL_MACHINE\SYSTEM\
CurrentControlSet | Services\SNMP\Parameters\
ValidCommunities | Administrators, System,
Creator Owner: Full |
What is Microsoft doing about this issue?
- Microsoft has delivered a Security Configuration and Analysis template that eliminates the vulnerability.
- Microsoft has provided a security bulletin and this FAQ to provide customers with a detailed understanding of the vulnerability and the procedure to eliminate it.
- Microsoft has sent copies of the security bulletin to all subscribers to the Microsoft Product Security Notification Service, a free e-mail service that customers can use to stay up to date with Microsoft security bulletins.
- Microsoft has issued a Knowledge Base article explaining the vulnerability and procedure in more detail.
Where can I learn more about best practices for security?
The Microsoft TechNet Security web site is the best to place to get information about Microsoft security.
How do I get technical support on this issue?
Microsoft Product Support Services can provide assistance with this or any other product support issue.
