Microsoft Security Bulletin (MS00-099) Patch Available for Directory Service Restore Mode Password Vulnerability Originally posted: December 20, 2000 Summary Microsoft has released a patch that eliminates a security vulnerability affecting Microsoft® Windows® 2000 domain controllers. The vulnerability could allow a malicious user with physical access to a domain controller to install malicious software on it. Frequently asked questions regarding this vulnerability and the patch can be found at http://www.microsoft.com/technet/security/bulletin/fq00-099.asp Issue Windows 2000 provides several special operating modes that can be chosen at boot time in order to allow the administrator to troubleshoot and restore a machine with a damaged configuration. One of these, Directory Service Restore Mode, is designed to allow the Active Directory to be repaired and restored on a domain controller. A password is required in order to operate the system in this mode. However, if the Configure Your Server tool was used when the machine was originally promoted to domain controller, that password would be blank. This could enable a malicious user to log onto the machine in Directory Service Restore Mode. Once logged on, the malicious user could alter system components or install bogus ones that would execute when a bona fide administrator subsequently logged onto the machine. There are three significant mitigating factors associated with this vulnerability: * The malicious user would need physical access to the machine in order to log into it in Directory Service Restore Mode. However, security best practices strongly recommend against ever giving unprivileged users physical access to critical servers like domain controllers. Customers who have followed this guidance would not be affected by the vulnerability. * The vulnerability only occurs if the Configure Your Server tool was used to promote the server to domain controller. If the DCPROMO tool was used, the machine could not be affected by the vulnerability. * The Configure Your Server tool can only be run on the first domain controller in a forest. As a result, no other servers could be affected by the vulnerability. A second troubleshooting mode also is affected. When the Directory Service Restore Mode password is set, the password for the Recovery Console is automatically synchronized with it. As a result, machines affected by this vulnerability would have a blank password for both the Directory Service Restore Mode and the Recovery Console. However, the scope of the vulnerability is unchanged by the involvement of the Recovery Console, for better or worse. Affected Software Versions * Microsoft Windows 2000 Server * Microsoft Windows 2000 Advanced Server Note: Windows 2000 workstations are unaffected by this vulnerability. Patch Availability * The patch has been temporarily removed, but will be re-posted shortly Note: On Windows 2000 Server and Advanced Server systems, this patch can be installed atop either the Gold version or Service Pack 1. It will be included in Windows Server and Advanced Server, Service Pack 2. Note Additional security patches are available at the Microsoft Download Center More Information Please see the following references for more information related to this issue. * Frequently Asked Questions: Microsoft Security Bulletin MS00-099, http://www.microsoft.com/technet/security/bulletin/fq00-099.asp * Microsoft Knowledge Base article Q271641 discusses this issue and will be available soon. * Microsoft TechNet Security web site, http://www.microsoft.com/technet/security/default.asp Obtaining Support on this Issue This is a fully supported patch. Information on contacting Microsoft Product Support Services is available at http://support.microsoft.com/support/contact/default.asp. Acknowledgments Microsoft thanks John Sherriff of the Wool Research Organization of New Zealand for reporting this issue to us and working with us to protect customers.