[NT] Domain Password Logon Authentication Bug in Windows 2000 Advanced Server Domain Controller

From: support@securiteam.com
Date: 07/22/02 

From: support@securiteam.com
To: list@securiteam.com
Date: Mon, 22 Jul 2002 20:31:49 +0200 (CEST)

The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion

When was the last time you checked your server's security?
How about a monthly report?
http://www.AutomatedScanning.com - Know that you're safe.
- - - - - - - - -

  Domain Password Logon Authentication Bug in Windows 2000 Advanced Server
Domain Controller
------------------------------------------------------------------------

SUMMARY

A security vulnerability in a mixed environment of Windows 2000, NT, and
9x causes the password's strength to decrease exponentially. The decrease
occurs because a backward compatibility demands that a more limited set of
characters is used (uppercase and lowercase characters are treated in the
same way).

DETAILS

Scenario:
You have a password in your Windows 2000 domain that you set up that
consists of 12 characters that alternate between capitals and lowercase.
You log on using your Windows 2000 professional workstation and the
password must be typed exactly. One day you use a Windows 98 client in
another department and type your password with the caps lock key down. It
then logs you onto the network. You expected your password of alternating
upper and lower case to be required.

Overview:
When a user accounts password is set on Windows 2000 Advanced Server
(which is also your domain controller running active directory), and a
case sensitive password such as "HeLLo" is used, only a Windows 2000
client must type the password exactly the same (on a default installation
with all service packs and patches applied).

The problem is that most people think that the password has to be entered
exactly that way since NT and 2000 passwords are case sensitive. If a
Windows 9x computer is used to log onto the domain using a password of
"HELLO" OR "hello" either will be validated by the domain controller.
Hence, the user is tricked into believing the password is more secure than
it is.

When a 15 character password or longer is used, the Windows 9x client
cannot log on but a Windows 2000 client can. The Windows 9x logon dialog
only allows 14 characters to be entered as a maximum. If the password is
changed to 14 characters or less, this bug is present.

Workaround:
Require all clients in your Windows 2000 network to use NTLM2
Authentication. A detailed example is in knowledge base article #Q239869
located at
<http://support.microsoft.com/default.aspx?scid=kb;EN-US;q239869>
http://support.microsoft.com/default.aspx?scid=kb;EN-US;q239869

Solution:
The next step should be to make sure that clients do not even attempt to
trasmit LM type passwords. The knowledge base article #Q147706, located at
 <http://support.microsoft.com/default.aspx?scid=kb;en-us;Q147706>
http://support.microsoft.com/default.aspx?scid=kb;en-us;Q147706 details
this on Windows NT.

ADDITIONAL INFORMATION

The information has been provided by <mailto:yarnor@attbi.com> Ron Ray.

========================================

This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com

====================
====================

DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.

Relevant Pages