Re: Windows 2000 SP2 local policy settings not stored using SIDs?

From: Justin Silles (JUSTIN@M-M-S.COM)
Date: 08/13/01


Message-ID:  <00D6E0E3F7DED211A3D00050040530833041F9@www.shutter.net>
Date:         Mon, 13 Aug 2001 13:11:01 -0400
From: Justin Silles <JUSTIN@M-M-S.COM>
Subject:      Re: Windows 2000 SP2 local policy settings not stored using SIDs?
To: NTBUGTRAQ@LISTSERV.NTBUGTRAQ.COM

Eric and Others,

I think you finally answered my question about security settings in Win2k.
Please allow me to explain what I did (locked out) how I "hacked" back in
(not really, but hey...). It just so happens I know of two other people
that have done this as well, but I cannot figure out the connection.
I have one PC as a Win2k DC with active directory and terminal services and
one laptop running win2k.
While setting up the security settings (for the domain) I had set the
administrators group to be the only one to log in locally. I had also
changed the name of the local administrator on the server and various other
settings. After a few moments I was no longer able to log on to my server
locally. I was not able to figure out the problem so I figured I could log
on via the Terminal Services connection...still not able to access it.
After figuring that my client was acting up (laptop) I rebooted. This is
when things went bad. At the laptop was part of the domain and it took on
the new policy settings after the reboot I was now locked out of that PC as
well. The error is "Local security policy does not allow user to log in".
In an attempt to get back into my server and laptop I took a different PC I
had installed a fresh copy of win2k Pro and set it up on my network to try
and fix this problem. During the install I added it to the domain, thus
taking on the same bad security settings. After the final install process
the PC reboots as usual and then locked me out with the same error. I
reinstalled the OS this time staying out of the domain. I then booted and
mapped to the admin share on the server, browsed to and deleted (see MSKB
Q201227):
{xxxx-XXXX} = Combination of letters numbers (hex) there will be two of
these and you have to remove the file from both (I numbered them 1 and 2,
but that has nothing to do with the numbers inside the {}).
C:\WINNT\SYSVOL\DOMAIN\Policies\{xxxx-XXX1}\Machine\Microsoft\Windows
NT\SecExit\GptTmpl.inf
C:\WINNT\SYSVOL\DOMAIN\Policies\{xxxx-XXX2}\Machine\Microsoft\Windows
NT\SecExit\GptTmpl.inf
Within a few seconds the HD activity lights went nuts (policy change was
taking effect) and I was able to log into my Server. I rebooted my laptop
and regained access to that as well.
I have been dying to post this to MS, but I could not nail the reason behind
it. The other two people were on the WINNT-L@PEACH.EASE.LSOFT.COM list and
no one there seemed to have heard of the problem nor the fix before.
This is a serious security problem and without a documented fix could leave
many companies having problems if they need to log in. Or worse, thinking
they need to do a full reinstall. There is two other ways to fix this
1) log in using the win2k recovery counsel and delete the file then
reboot the server. However this requires you to take down the server. My
fix above does not, since all access to the server otherwise is still
functional.
2) If you can figure out which setting is in the "GptTmpl.inf" file,
you can just delete that line (log on locally?) and then the server would be
fine with all other important security settings still functional.

If this is the case, that MS is not using the SIDs I would question: "what
else isn't using a sid?" if I am setting up my network security via SIDs why
wouldn't that be in the programming? Kinda scary.
Please, if anyone has anything on this let myself and the groups know so
this can get patched. The more discussion the better!
Regards,
Justin M. Silles
Network Administrator
System Analyst
MMS Inc.

============================================================================
Delivery co-sponsored by Trend Micro, Inc.
============================================================================
TREND MICRO SCANMAIL FOR EXCHANGE 2000 -- SECOND to NONE

If you are worried about email viruses, you need Trend Micro ScanMail for
Exchange. ScanMail is the first antivirus solution that seamlessly
integrates with the Microsoft Exchange 2000 virus-scanning API 2.0. ScanMail
ensures 100% inbound and outbound email virus scanning and provides remote
software management. Download a FREE 30-day trial copy of ScanMail and find
out why it is the best:
http://www.antivirus.com/banners/tracking.asp?si=8&BI;=240&UL;=/smex2000
============================================================================