Microsoft Security Bulletin (MS98-001) ---------------------------------------------------------------------------- Disabling Creation of Local Groups on a Domain by Non-Administrative Users Last revision: June 1, 1998 Summary The default Microsoft® Windows NT® user rights allow non-administrative users to create domain local groups. Domain local groups reside only on the Domain Controllers, which share a single security account manager (SAM). Issue The ability for non-administrative users to create aliases on the domain could be abused if they create a large number of local groups in the domain and cause the size of the account database to grow unrestricted. Unlimited local group creation could crash the domain controller and lead to excessive network traffic due to the replication of local group information to backup domain controllers. Affected Software Versions Windows NT Server 3.1, 3.5, 3.51 and 4.0 More Information The default protection access controls on the Windows NT domain allow all users the right to create local groups on the domain controller. The access right on the domain object is known as DOMAIN_CREATE_ALIAS. The ability for non-administrative users to create local groups on a server is documented in the Windows NT Server Concepts and Planning manual. This capability allows users to better control access to resources owned by the user. For example, a user who wants to grant access to files owned by the user and stored on a network server can create a local group in the domain and add users to that group. Then the user allows other users access to his or her files and directories by granting access to the local group object, which is much more desirable than having to set access controls based on individual users. When a user creates a local group, only that user or an administrator can modify membership to that group, or delete that group. Please see Microsoft Knowledge Base article Q169556 for more information, including the availability on http://www.microsoft.com of a tool to change this default behavior. What Microsoft Is Doing Microsoft is distributing this bulletin to increase awareness of this feature and its implications when abused by an authorized user. A utility to change this designed behavior can be obtained free of charge from Microsoft Technical Support (see http://www.microsoft.com/support for contact information). This utility can be used to change the default behavior and restrict the creation of local groups to administrative users. Microsoft will make this tool available for download from the microsoft.com Web site shortly. Please see Microsoft Knowledge Base article Q169556 for information about downloading this software when it becomes available. What Customers Should Do Setting the auditing of "User and Group Management" from User Manager for Domains will produce an audit event when local groups are created in the domain. Users who abuse this by creating a large number of groups can be identified in this manner and appropriate administrative actions can be taken. A utility to change this designed behavior can be obtained from Microsoft Technical Support. This tool can be used to modify the default behavior and restrict the creation of local groups to administrative users. Customers who are affected by this right now can obtain this utility from Microsoft Technical Support. Other References Microsoft Knowledge Base article Q161990, http://support.microsoft.com/support/kb/articles/q161/9/90.asp Revisions June 1, 1998: Bulletin Created For additional information on security issues at Microsoft, please visit www.microsoft.com/security. ---------------------------------------------------------------------------- THE INFORMATION PROVIDED IN THE MICROSOFT KNOWLEDGE BASE IS PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND. MICROSOFT DISCLAIMS ALL WARRANTIES, EITHER EXPRESS OR IMPLIED, INCLUDING THE WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. IN NO EVENT SHALL MICROSOFT CORPORATION OR ITS SUPPLIERS BE LIABLE FOR ANY DAMAGES WHATSOEVER INCLUDING DIRECT, INDIRECT, INCIDENTAL, CONSEQUENTIAL, LOSS OF BUSINESS PROFITS OR SPECIAL DAMAGES, EVEN IF MICROSOFT CORPORATION OR ITS SUPPLIERS HAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. SOME STATES DO NOT ALLOW THE EXCLUSION OR LIMITATION OF LIABILITY FOR CONSEQUENTIAL OR INCIDENTAL DAMAGES SO THE FOREGOING LIMITATION MAY NOT APPLY. © 1998 Microsoft and/or its suppliers. All rights reserved. For Terms of Use see http://support.microsoft.com/support/misc/cpyright.asp.