Information About Reported "Security Flaw" In Active Directory
|Archived content. No warranty is made as to technical accuracy. Content may contain URLs that were valid when originally published, but now link to sites or pages that no longer exist.|
A recent article published in Network World claims that a key security flaw exists in Active Directory. The article can be viewed online at http://www.nwfusion.com/archive/2001/117574_02-26-2001.html.
It is Microsoft's position that statements made in this article are presented out of context, creating unnecessary concern and confusion. In particular, Microsoft believes that the use of the term "security flaw" is misleading. An attacker could not exploit this issue to gain unauthorized access or an elevation of privileges. While Microsoft understands that customers may, in some instances, encounter undesirable behavior in multi-value replication, it can be avoided by exercising simple system administration practices.
When an administrator adds or removes members from a group, the entire group membership is replicated between domain controllers, not just the changes. If two administrators change group membership on two different domain controllers and replication takes place on the second domain controller before the first domain controller completes replication, only one change remains after Active Directory resolves the replication conflict. The other change is not reflected. As a result, a user might unexpectedly remain in a group from which one of the administrators had deleted them and subsequently retain access to a resource.
This scenario is rare within a single site. Since group updates are replicated quickly, the chance that two administrators will be simultaneously updating the same group is minimized. While it may occur more frequently in multi-site directory architectures, it can be easily avoided with basic system administration policies (see below). Finally, this scenario does not apply to individual user accounts. For example, if a user account is deleted, that user is removed from the system entirely - from all groups, etc.
Questions and Answers
Where can I find additional information on multi-value replications?
Microsoft recognized the implications of this scenario and documented a workaround over one year ago to ensure customers can maintain the integrity of group memberships. This workaround is documented in the Windows 2000 Deployment Guides under the Security Groups and Replication Conflicts section at http://www.microsoft.com/technet/prodtechnol/windows2000serv/reskit/deploy/dgbe_sec_avta.asp
What is Microsoft doing to address this issue?
In the next release of Windows 2000 Server, the mechanism used to replicate group membership is modified to replicate values for individual membership changes instead of treating the entire membership as a single unit. This results in lower network bandwidth and processor usage during replication and eliminates the possibility of overwritten updates during simultaneous changes as described above.
Why didn't Microsoft address this issue in a Windows 2000 Service pack?
The update required to implement member-level updates involves modifications to several core components of Active Directory. In accordance with our focus on quality and avoiding changes to core system components in service packs, Microsoft decided that the best release vehicle for this change would be Whistler, the next release of Windows 2000