Microsoft Security Bulletin MS98-001
Disabling Creation of Local Groups on a Domain by Non-Administrative Users
Last revision: March 24, 1999
The default Microsoft® Windows NT® user rights allow non-administrative users to create domain local groups. Domain local groups reside only on the Domain Controllers, which share a single security account manager (SAM).
The ability for non-administrative users to create aliases on the domain could be abused if they create a large number of local groups in the domain and cause the size of the account database to grow without restrictions. Unlimited local group creation could crash the domain controller and lead to excessive network traffic due to the replication of local group information to backup domain controllers.
Affected Software Versions
Windows NT Server 3.1, 3.5, 3.51, and 4.0
The default protection access controls on the Windows NT domain allow all users the right to create local groups on the domain controller. The access right on the domain object is known as DOMAIN_CREATE_ALIAS.
The ability for non-administrative users to create local groups on a server is documented in the Windows NT Server Concepts and Planning manual. This capability allows users to better control access to resources owned by the user. For example, a user who wants to grant access to files owned by the user and stored on a network server can create a local group in the domain and add users to that group. Then the user gives other users access to his files and directories by granting access to the local group object, which is more desirable than having to set access controls based on individual users.
When a user creates a local group, only the user or an administrator can modify membership to or delete the group.
Please see Microsoft Knowledge Base article 169556 for more information, including the availability on http://www.microsoft.com of a tool to change this default behavior.
What Microsoft Is Doing
Microsoft is distributing this bulletin to increase awareness of this feature, and its implications when abused by an authorized user.
A utility to change this designed behavior can be obtained free of charge from the Microsoft web site. This utility can be used to change the default behavior and restrict the creation of local groups to administrative users. Information on downloading the tool can be found in Microsoft Knowledge Base article 169556.
What Customers Should Do
Setting the auditing of "User and Group Management" from User Manager for Domains will produce an audit event when local groups are created in the domain. Users who abuse this feature by creating a large number of groups can be identified in this manner and appropriate administrative actions can be taken.
A utility to change this designed behavior can be obtained from the Microsoft web site. This tool can be used to modify the default behavior and restrict the creation of local groups to administrative users.
Microsoft Knowledge Base article 169556, http://support.microsoft.com/default.aspx?scid=kb;en-us;169556&sd=tech
- June 1, 1998: Bulletin Created
- March 24, 1999: Bulletin Updated
For additional information on security issues at Microsoft, please visit http://www.microsoft.com/technet/security/.
THE INFORMATION PROVIDED IN THE MICROSOFT KNOWLEDGE BASE IS PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND. MICROSOFT DISCLAIMS ALL WARRANTIES, EITHER EXPRESS OR IMPLIED, INCLUDING THE WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. IN NO EVENT SHALL MICROSOFT CORPORATION OR ITS SUPPLIERS BE LIABLE FOR ANY DAMAGES WHATSOEVER INCLUDING DIRECT, INDIRECT, INCIDENTAL, CONSEQUENTIAL, LOSS OF BUSINESS PROFITS OR SPECIAL DAMAGES, EVEN IF MICROSOFT CORPORATION OR ITS SUPPLIERS HAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. SOME STATES DO NOT ALLOW THE EXCLUSION OR LIMITATION OF LIABILITY FOR CONSEQUENTIAL OR INCIDENTAL DAMAGES SO THE FOREGOING LIMITATION MAY NOT APPLY.