Spyware Doctor
Spyware Doctor with AntiVirus
PC Tools AntiVirus
PC Tools Internet Security
PC Tools Firewall Plus
ThreatFire
Spam Monitor
iAntiVirus for Mac OS X
Registry Mechanic
Desktop Maestro
File Recover
Privacy Guardian
PC Tools Disk Suite
Spyware Doctor Enterprise
Help me choose
Directory Service Restore Mode Password Vulnerability
A security vulnerability exists which affects Microsoft® Windows® 2000 domain controllers. The vulnerability could allow a malicious user with physical access to a domain controller to install malicious software on it.
Issue
Windows 2000 provides several special operating modes that can be chosen at boot time in order to allow the administrator to troubleshoot and restore a machine with a damaged configuration. One of these, Directory Service Restore Mode, is designed to allow the Active Directory to be repaired and restored on a domain controller. A password is required in order to operate the system in this mode. However, if the “Configure Your Server” tool was used when the machine was originally promoted to domain controller, that password would be blank. This could enable a malicious user to log onto the machine in Directory Service Restore Mode. Once logged on, the malicious user could alter system components or install bogus ones that would execute when a bona fide administrator subsequently logged onto the machine.
There are three significant mitigating factors associated with this vulnerability:
- The malicious user would need physical access to the machine in order to log into it in Directory Service Restore Mode. However, security best practices strongly recommend against ever giving unprivileged users physical access to critical servers like domain controllers. Customers who have followed this guidance would not be affected by the vulnerability.
- The vulnerability only occurs if the "Configure Your Server" tool was used to promote the server to domain controller. If the DCPROMO tool was used, the machine could not be affected by the vulnerability.
- The "Configure Your Server" tool can only be run on the first domain controller in a forest. As a result, no other servers could be affected by the vulnerability.
A second troubleshooting mode also is affected. When the Directory Service Restore Mode password is set, the password for the Recovery Console is automatically synchronized with it. As a result, machines affected by this vulnerability would have a blank password for both the Directory Service Restore Mode and the Recovery Console. However, the scope of the vulnerability is unchanged by the involvement of the Recovery Console, for better or worse.
Affected Products
- Microsoft Windows 2000 Server & Advanced Server
Solution
A patch will be included in Windows Server and Advanced Server, Service Pack 2.
Further Details
Source: Microsoft Corporation
Updated: December 20, 2000
>> Recommended Download - secure your PC from spyware, adware and malware now with Spyware Doctor <<
