Win2K Server Security Hole ?

From: Darren Thompson (mrdthompson@yahoo.com)
Date: 02/10/03

• Next message: SirG: "lockdown users and passwords"
• Previous message: Greg Askew: "Re: Updates for Terminal Server"
• Next in thread: Karl Levinson [x y] mvp: "Re: Win2K Server Security Hole ?"
• Reply: Karl Levinson [x y] mvp: "Re: Win2K Server Security Hole ?"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

---

From: "Darren Thompson" <mrdthompson@yahoo.com>
Date: Sun, 9 Feb 2003 19:30:04 -0800

My account is in the administrators group on our Domain. I
run Windows XP Pro, we have Windows 2000 Domain
Controllers (native mode). My machine was logged on,
someone else in the domain was trying to use my username
(and bad password) and caused my account to become locked
out.

With my account locked out, I could still run "Active
Directory Users and Computers" (ADUC) from my workstation,
although I initially get an error dialog "Naming
Information cannot be located because: The Local Security
Authority cannot be contacted. Contact your system
administrator to verify that your domain is properly
configured and is currently online"

I click OK here and I then get the standard ADUC window,
with a red "X" on the root. If I then right click on the
ADUC root, and select "Connect to Domain Controller" and
enter in the name of our DC I get another dialog
stating: "Domain controller name is in domain domain. You
are currently administering domain . Do you want to
administer domain by using domain controller name?"

I click "yes" and I get the ADUC windows in all it's glory
and can perform other administrative duties such as
disabling and enabling accounts and resetting user
passwords even whilst my account is still locked out.

Bug, Security loophole or feature ?

http://www.microsoft.com/technet/treeview/default.asp?
url=/technet/security/bulletin/ms00-089.asp has something
which sounds similar to this (but SP1 was meant to fix it,
we have SP2)

---

• Next message: SirG: "lockdown users and passwords"
• Previous message: Greg Askew: "Re: Updates for Terminal Server"
• Next in thread: Karl Levinson [x y] mvp: "Re: Win2K Server Security Hole ?"
• Reply: Karl Levinson [x y] mvp: "Re: Win2K Server Security Hole ?"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

---

Relevant Pages Re: Help XP Tricked me??? ... > users (administrators) could not view my documents folder. ... > But now Eudora wont open on any other user account but mine.. ... Take Ownership of a File or Folder in Windows XP ... (microsoft.public.windowsxp.security_admin) Re: How to set group policy ... that, this account is a local account, and I try to set ... Windows XP Security Console ... How to apply local policies to all users except administrators ... on Windows Server 2003 in a Workgroup Setting ... (microsoft.public.windowsxp.general) Problem with password loggin in to Windows ... I have Windows XP Home Edition on my laptop. ... running our LAN on Novell Netware. ... then tried by changing the type of the administrators new ... account to a limited account hoping that this would force ... (microsoft.public.windowsxp.security_admin) Re: Old admin took password to his grave ... The real built in administrator account for the domain can not be disabled ... It can be disabled in Windows 2003 but is available in safe ... user needs full physical access to the domain controller which is one reason ... (microsoft.public.win2000.security) Re: Restriction ... > What I try to do is to limit user performing some tasks ... > that is a part of administrators group. ... > appearing in my account as a user with administrator privileges. ... MS MVP - Windows Shell/User ... (microsoft.public.windowsxp.security_admin)

---

We are proud to have Web Hosting and Rack Housing from 9 Net Avenue Deutschland.
(12)