[Full-disclosure] Microsoft Windows Active Directory Logon Hours User Enumeration Weakness

From: "Sumit Siddharth" <sid@xxxxxxxxxxxxxxx>
Date: Thu, 31 May 2007 16:11:22 +0100

Windows Server 2003 can be configured
<http://support.microsoft.com/kb/816666> to restrict the hours and days that
a user may log on to a Windows Server 2003 domain. This could lead to
username enumeration.

*Issue*:- Microsoft Windows Active Directory Username Enumeration

*Criticality*:- Less Critical

*Impact*:- Exposure of system information

*Description*:- It has been identified that the Microsoft windows Active
Directory contains a flaw that may lead to an unauthorized information
disclosure. The issue is triggered when the Windows Domain Controller
returns different error messages depending on if a valid username was
supplied via windows terminal services. This only happens for the
user accounts that have time restrictions set and when these accounts
are accessed during restricted time. This can be exploited to help
enumerate valid usernames resulting in a loss of confidentiality.

*Vendors response*:-
"We will NOT be issuing a security update for this issue.
It is likely that in a next version or service pack of the product we may
consider making changes, but not before then".

*Screenshots:*
1. Error returned When Account is Accessed at Restricted
time<http://www.notsosecure.com/folder2/2007/05/27/logon-time-restrictions-in-a-domain-in-windows-server-2003-allows-username-enumeration/error-returned-when-account-is-accessed-at-restricted-time/>
2. Error returned When Account is Accessed at Permitted
time<http://www.notsosecure.com/folder2/wp-content/uploads/2007/05/error-when-account-is-accessed-at-permitted-time.PNG>

Thanks

Sid
www.notsosecure.com
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Prev by Date: [Full-disclosure] [ GLSA 200705-25 ] file: Integer overflow
Next by Date: Re: [Full-disclosure] Certain Prior Notices Concerning the Unauthorized Distribution of HBO Television Programming
Previous by thread: [Full-disclosure] [ GLSA 200705-25 ] file: Integer overflow
Next by thread: Re: [Full-disclosure] Certain Prior Notices Concerning the Unauthorized Distribution of HBO Television Programming
Index(es):
- Date
- Thread

Relevant Pages

Re: Backup and reinstall - no server access
... >>>We have a Windows Server 2003 with a lost Administrator password. ... >>>Knoppix), plug in a USB hard disk, copy the files on the Windows ... > As for having two administrator accounts, ...
(microsoft.public.win2000.setup)
RE: Adding AD Account to NT Global
... member server in the Windows NT domain. ... Create a group in the Windows Server 2003 domain and add the accounts to ... Windows Server 2003 domain directly to set permissions. ...
(microsoft.public.windows.server.migration)
Re: Blocking Accounts on Certain PCs
... As long as you're using passwords that are widely known, no, you can't stop anyone from using the computer. ... Through your domain policies, you can restrict, I believe, what machines a particular user can log on to. ... > We can't use private passwords on these accounts. ... >> Windows XP - Shell/User ...
(microsoft.public.windowsxp.security_admin)
Re: setting up an authentication pc in a network
... about 4 accounts and those 4 people can only use a specific pc ... or it maybe is novell. ... Windows Server then you really are in bad shape. ... Calling an illegal alien an "undocumented worker" is like calling a ...
(microsoft.public.windows.server.sbs)
how to restrict or deny hard drive(s) access for guests/users accounts
... i am setting up user passworded accounts and 1 guest ... accross different hard drives. ... 'restrict access to folders' ...
(microsoft.public.windowsxp.security_admin)