Re: Windows 2000 SP2 local policy settings not stored using SIDs?

From: Justin Silles (JUSTIN@M-M-S.COM)
Date: 08/13/01


Message-ID:  <00D6E0E3F7DED211A3D00050040530833041F9@www.shutter.net>
Date:         Mon, 13 Aug 2001 13:11:01 -0400
From: Justin Silles <JUSTIN@M-M-S.COM>
Subject:      Re: Windows 2000 SP2 local policy settings not stored using SIDs?
To: NTBUGTRAQ@LISTSERV.NTBUGTRAQ.COM

Eric and Others,

I think you finally answered my question about security settings in Win2k.
Please allow me to explain what I did (locked out) how I "hacked" back in
(not really, but hey...). It just so happens I know of two other people
that have done this as well, but I cannot figure out the connection.
I have one PC as a Win2k DC with active directory and terminal services and
one laptop running win2k.
While setting up the security settings (for the domain) I had set the
administrators group to be the only one to log in locally. I had also
changed the name of the local administrator on the server and various other
settings. After a few moments I was no longer able to log on to my server
locally. I was not able to figure out the problem so I figured I could log
on via the Terminal Services connection...still not able to access it.
After figuring that my client was acting up (laptop) I rebooted. This is
when things went bad. At the laptop was part of the domain and it took on
the new policy settings after the reboot I was now locked out of that PC as
well. The error is "Local security policy does not allow user to log in".
In an attempt to get back into my server and laptop I took a different PC I
had installed a fresh copy of win2k Pro and set it up on my network to try
and fix this problem. During the install I added it to the domain, thus
taking on the same bad security settings. After the final install process
the PC reboots as usual and then locked me out with the same error. I
reinstalled the OS this time staying out of the domain. I then booted and
mapped to the admin share on the server, browsed to and deleted (see MSKB
Q201227):
{xxxx-XXXX} = Combination of letters numbers (hex) there will be two of
these and you have to remove the file from both (I numbered them 1 and 2,
but that has nothing to do with the numbers inside the {}).
C:\WINNT\SYSVOL\DOMAIN\Policies\{xxxx-XXX1}\Machine\Microsoft\Windows
NT\SecExit\GptTmpl.inf
C:\WINNT\SYSVOL\DOMAIN\Policies\{xxxx-XXX2}\Machine\Microsoft\Windows
NT\SecExit\GptTmpl.inf
Within a few seconds the HD activity lights went nuts (policy change was
taking effect) and I was able to log into my Server. I rebooted my laptop
and regained access to that as well.
I have been dying to post this to MS, but I could not nail the reason behind
it. The other two people were on the WINNT-L@PEACH.EASE.LSOFT.COM list and
no one there seemed to have heard of the problem nor the fix before.
This is a serious security problem and without a documented fix could leave
many companies having problems if they need to log in. Or worse, thinking
they need to do a full reinstall. There is two other ways to fix this
1) log in using the win2k recovery counsel and delete the file then
reboot the server. However this requires you to take down the server. My
fix above does not, since all access to the server otherwise is still
functional.
2) If you can figure out which setting is in the "GptTmpl.inf" file,
you can just delete that line (log on locally?) and then the server would be
fine with all other important security settings still functional.

If this is the case, that MS is not using the SIDs I would question: "what
else isn't using a sid?" if I am setting up my network security via SIDs why
wouldn't that be in the programming? Kinda scary.
Please, if anyone has anything on this let myself and the groups know so
this can get patched. The more discussion the better!
Regards,
Justin M. Silles
Network Administrator
System Analyst
MMS Inc.

============================================================================
Delivery co-sponsored by Trend Micro, Inc.
============================================================================
TREND MICRO SCANMAIL FOR EXCHANGE 2000 -- SECOND to NONE

If you are worried about email viruses, you need Trend Micro ScanMail for
Exchange. ScanMail is the first antivirus solution that seamlessly
integrates with the Microsoft Exchange 2000 virus-scanning API 2.0. ScanMail
ensures 100% inbound and outbound email virus scanning and provides remote
software management. Download a FREE 30-day trial copy of ScanMail and find
out why it is the best:
http://www.antivirus.com/banners/tracking.asp?si=8&BI;=240&UL;=/smex2000
============================================================================



Relevant Pages

  • Re: Font DPI and WTS
    ... That's interesting but yet not surprising with Win2k. ... Microsoft MVP - Terminal Server ... "Jeff Pitsch" wrote: ... Client settings override settings such as what you've ...
    (microsoft.public.windows.terminal_services)
  • RE: Several Problems; how to reset security and troubleshoot server
    ... On the SBS security settings; I accept your response, ... Assistance Offer from the Server Managment MMC, Alot of the settings you had ... What started me on the path of security problem was I had a simular problem ... I was instructed to reset some security settings and wala it worked. ...
    (microsoft.public.windows.server.sbs)
  • Re: NT workstations cant see shares on Windows 2000 server
    ... communicationson that server than the other domain controller. ... > I logon (using Domain administrator and domain user) I get the same error ... >> section about security settings and example of compatibility problems. ...
    (microsoft.public.win2000.security)
  • Re: How do my FrontPage extensions become corrupt?
    ... If the host installing the extensions, then the install default setting would be the correct ones ... Can happen if the server software is not stable or configured correctly. ... Can happen if server admin modifies security settings outside of FP, ...
    (microsoft.public.frontpage.extensions.windowsnt)
  • Re: NTLM queries
    ... If you at your settings you can see why the NT 4.0 server cannot ... Try setting the NT server LMCompatibilityLevel 1. ... i try to login from winNT into the win2k domain. ... the log on win2k shows an authentication ...
    (comp.os.ms-windows.nt.admin.security)