Microsoft Security Bulletin MS00-099

Technical description:

Windows 2000 provides several special operating modes that can be chosen at boot time in order to allow the administrator to troubleshoot and restore a machine with a damaged configuration. One of these, Directory Service Restore Mode, is designed to allow the Active Directory to be repaired and restored on a domain controller. A password is required in order to operate the system in this mode. However, if the "Configure Your Server" tool was used when the machine was originally promoted to domain controller, that password would be blank. This could enable a malicious user to log onto the machine in Directory Service Restore Mode. Once logged on, the malicious user could alter system components or install bogus ones that would execute when a bona fide administrator subsequently logged onto the machine.

There are three significant mitigating factors associated with this vulnerability:

• The malicious user would need physical access to the machine in order to log into it in Directory Service Restore Mode. However, security best practices strongly recommend against ever giving unprivileged users physical access to critical servers like domain controllers. Customers who have followed this guidance would not be affected by the vulnerability.
• The vulnerability only occurs if the "Configure Your Server" tool was used to promote the server to domain controller. If the DCPROMO tool was used, the machine could not be affected by the vulnerability.
• The "Configure Your Server" tool can only be run on the first domain controller in a forest. As a result, no other servers could be affected by the vulnerability.

A second troubleshooting mode also is affected. When the Directory Service Restore Mode password is set, the password for the Recovery Console is automatically synchronized with it. As a result, machines affected by this vulnerability would have a blank password for both the Directory Service Restore Mode and the Recovery Console. However, the scope of the vulnerability is unchanged by the involvement of the Recovery Console, for better or worse.

What's this bulletin about?
Microsoft Security Bulletin MS00-099 announces the availability of a patch that eliminates a vulnerability in Microsoft® Windows® 2000. Microsoft is committed to protecting customers' information, and is providing the bulletin to inform customers of the vulnerability and what they can do about it.

What's the scope of the vulnerability?
This vulnerability could potentially enable a malicious user to log onto a Windows 2000 domain controller via an administrative account. This would give her the opportunity to install malicious software onto the machine, potentially giving her the ability to take virtually any action on the domain, including creating or modifying user accounts, changing information in the Active Directory, or changing domain security policies.
The conditions under which the vulnerability could be exploited are fairly restrictive:

• The vulnerability only occurs if one particular tool was used to promote the machine to domain controller.
• The promotion tool can only be run on the first domain controller in a forest, so only the first domain controller could be affected by the vulnerability.
• To exploit the vulnerability, the malicious user would need physical access to the machine, as it is only possible to log into the affected administrative account by rebooting the machine.

What causes the vulnerability?
If the "Configure Your Server" tool is used to promote a machine to be the first domain controller in a forest, the Directory Service Restore Mode and Recovery Console password is left blank.

What is Directory Services Restore Mode?
Windows 2000 provides several options that allow the server operator to troubleshoot and repair problems on the machine. When the machine boots, Windows 2000 briefly displays a menu that lets the operator select one of several different operating modes. Each of the modes is slightly different, but, in general, all are designed to boot the machine into a state that, while not fully operable, nevertheless allows the operator to make configuration changes and restore it to normal operating condition.
One of the repair modes, Directory Services Restore Mode, is only available on domain controllers. It's used to enable the server operator to restore a damaged version of the Active Directory with a backup copy. When the operator selects Directory Services Restore Mode, Windows 2000 prompts for a password, and then starts the machine in an administrative context that allows the operator to make the needed repairs via Windows 2000 command-line commands.

What's wrong with Directory Services Restore Mode?
Depending on which tool the server operator used to promote the machine to a domain controller, it's possible for the Directory Services Restore Mode password to be blank.

What do you mean by "promote a machine to domain controller"?
When Windows 2000 Server is installed, the machine is initially configured as a member server, with no special privileges on the domain. If the domain administrator wants to make the machine a domain controller, she can do so through either of two ways - either by running the DCPROMO tool from the command line, or by starting the "Configure Your Server" administrative tool.
If she chooses to use DCPROMO, all goes as expected. As part of the promotion process, DCPROMO will ask for a password for Directory Services Restore Mode. However, if she chooses to use "Configure Your Server", the tool doesn't prompt for the password. Instead, it leaves the Directory Services Restore Mode password blank.

You mentioned that this vulnerability only affects the first domain controller in a forest. Why is this? 
The "Configure Your Server" tool can only be used to create the first domain controller in a forest. Any subsequent domain controllers must be promoted using the DCPROMO tool, which is not affected by the vulnerability.

Both DCPROMO and "Configure Your Server" seem to do exactly the same thing, and even run the same wizard. Why does it matter which tool is used?
The two tools do run the same wizard, and should, by design, take the same action. In fact, the "Configure Your Server" tool runs the DCPROMO tool. The problem is that the "Configure Your Server" tool doesn't request the Directory Service Restore Mode password, and passes a null password as a parameter to the DCPROMO tool. This results in the password being left blank. When DCPROMO is run directly, it prompts for a password.

What could a malicious user do if she exploited this vulnerability?
If a malicious user could reboot the machine into Directory Services Restore Mode, she could authenticate using the blank password, and gain access to the machine in an administrative capacity. However, there are a great many commands that can't be executed in Directory Services Restore Mode. As a result, the most likely scenario is that the malicious user would install malicious bogus system software via Directory Service Restore Mode, then reboot the machine to allow it to take effect. This would give her the ability to indirectly exercise complete administrative control over both the machine and the domain. She could add new users, reset other users' passwords, change or add Active Directory information, and take other actions.
However, it's extremely important to note that she would need physical access to the machine in order to reboot it and choose Directory Services Restore Mode - there is no capability to exploit this vulnerability remotely. Best practices strongly recommend against ever giving normal users physical access to domain controllers, because of the possibility that they could tamper with the machine or simply shut it down entirely. If this practice has been followed, the vulnerability couldn't be exploited even on an affected machine.

You also mentioned that the Recovery Console also is affected. What is it?
The Recovery Console is another troubleshooting mode. However, unlike Directory Services Restore Mode, the Recovery Console isn't available from the boot menu. Instead, it's available as an option when the operator runs the Windows 2000 Setup CD. When Setup runs, it checks to see whether there's already a copy of Windows 2000 on the machine. If there is, Setup asks the operator whether to try to repair the existing copy, or simply install a fresh copy. If the operator selects "Repair", Windows 2000 prompts for a password and then enters the Recovery Console. At that point, the server operator can troubleshoot and repair the existing installation.
Like Directory Services Restore Mode, the Recovery Console gives the authenticated user the ability to install additional software onto the machine or reconfigure it. As a result, the Recovery Console would give the malicious user a second way to accomplish the same ends.

Why is the Recovery Console affected?
As discussed in Knowledge Base article Q239803, when the Directory Services Restore Mode password is set, the Recovery Console password is set to match it. Thus, on an affected machine, both the Directory Service Restore Mode and Recovery Console passwords would be blank.

Does this make the vulnerability worse?
No. The involvement of the Recovery Console doesn't change the scope of the vulnerability in any way. Regardless of whether the malicious user used Directory Services Restore Mode or the Recovery Console, all of the previously-discussed restrictions would apply: only the first domain controller in the forest would be affected -- and only if the "Configure Your Server" tool had been used to promote the machine to domain controller -- and the malicious user would require physical access to the machine in order to exploit the vulnerability.

What does the patch do?
The patch synchronizes the passwords for both the Directory Service Restore Mode and the Recovery Console to be the same as the administrator's password.

Does the patch change the code in the "Configure Your Server" tool to cause it to prompt for a password? 
No. Usually when we deliver a patch, it changes the affected code to eliminate the vulnerability. However, in this case, that isn't a workable solution. Remember that the "Configure Your Server" tool is run as part of system setup. That means that the administrator would have run the tool long before she had an opportunity to apply the patch. That's why it makes more sense to provide a tool that can be run afterward, to synchronize the passwords.

The bulletin says that the fix for this vulnerability will be included in Windows 2000 SP2. Will this fix change the code in the "Configure Your Server" tool? 
No. The issue here is exactly the same as in the previous question -- by the time an administrator applied the service pack, it's likely that she would have already run "Configure Your Server". Instead, the Service Pack 2 installation routine will automatically synchronize the passwords.

Is there anything else in the patch?
Yes. The patch also provides SETPWD, a tool that enables the system administrator to reset the Directory Service Restore Mode and Recovery Console passwords to any desired value. The patch performs a one-time synchronization of the passwords; the SETPWD tool allows the adminstrator to change the passwords afterwards.

How do I use the SETPWD tool? 
The usage of the tool is:
SETPWD [/s:servername]

• If the tool is run on the local machine, no parameters are required.
• If /s is specified, a remote computer name must be provided on the command line. You must currently be logged in to an account that has administrative privileges on the remote machine, or you must have previously established a session with the target machine under such an account. This can be done, for example, by "net using" to IPC$ and providing the proper credentials. servername is the name of a remote server on which you have administrative privileges.

Knowledge Base article Q271641 provides additional information on using the tool.

Does this vulnerability affect all Windows 2000 machines?
No. It only affects Windows 2000 domain controllers, and even then, only the first domain controller in a forest.

Who should use the patch?
Customers who used the "Configure Your Server" tool to promote a Windows 2000 member server to a domain controller should apply the patch.

Where can I get the patch?
The download location for the patch is provided in the "Patch Availability" section of the security bulletin .

How do I use the patch?
The Knowledge Base article contains detailed instructions for applying the patch to your site.

How can I tell if I installed the patch correctly?
The Knowledge Base article Q271641 provides a manifest of the files in the patch package. The easiest way to verify that you've installed the patch correctly is to verify that these files are present on your computer, and have the same sizes and creation dates as shown in the KB article

What is Microsoft doing about this issue?
Microsoft has delivered a patch that eliminates the vulnerability.

• Microsoft has provided a security bulletin and this FAQ to provide customers with a detailed understanding of the vulnerability and the procedure to eliminate it.
• Microsoft has sent copies of the security bulletin to all subscribers to the Microsoft Product Security Notification Service, a free e-mail service that customers can use to stay up to date with Microsoft security bulletins.
• Microsoft has issued a Knowledge Base article explaining the vulnerability and procedure in more detail.

Where can I learn more about best practices for security?
The Microsoft TechNet Security web site is the best to place to get information about Microsoft security.

How do I get technical support on this issue?
Microsoft Product Support Services can provide assistance with this or any other product support issue.

Download locations for this patch

• http://www.microsoft.com/downloads/details.aspx?FamilyId=0E50F065-44F8-467E-92BF-B84711ACD4A3&displaylang=en

  Note: On Windows 2000 Server and Advanced Server systems, this patch can be installed atop either the Gold version or Service Pack 1. It will be included in Windows Server and Advanced Server, Service Pack 2.