I think this refers to the issue recently identified where a member of the Domain Admins group, with access to a domain controller within a domain in the forest, could, for example, start a process within the security context of LocalSystem (e.g. using the AT scheduler), and thus gain privileged access to the schema and configuration naming contexts that they weren't granted explicitly.
-----Original Message----- From: Roger Seielstad [mailto:[EMAIL PROTECTED] Sent: Monday, July 07, 2003 6:25 AM To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] AD DOS vulnerability Could you expand on what the specific vulnerability is there? I've not heard that terminology before. -------------------------------------------------------------- Roger D. Seielstad - MTS MCSE MS-MVP Sr. Systems Administrator Inovis Inc. > -----Original Message----- > From: Rick Kingslan [mailto:[EMAIL PROTECTED] > Sent: Friday, July 04, 2003 5:42 PM > To: [EMAIL PROTECTED] > Subject: RE: [ActiveDir] AD DOS vulnerability > > > Joe, > > Unfortunately, one of the biggest issues with AD can't be > addressed with an > upgrade, and that's the Security vulnerability from > cross-domain admins. > Looking to NetPro's monitoring tool to aid in this as a > 'burglar alarm'. > > Rick Kingslan MCSE, MCSA, MCT > Microsoft MVP - Active Directory > Associate Expert > Expert Zone - www.microsoft.com/windowsxp/expertzone > > > -----Original Message----- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On Behalf Of Joe > Sent: Friday, July 04, 2003 10:21 AM > To: [EMAIL PROTECTED] > Subject: RE: [ActiveDir] AD DOS vulnerability > > Also note that there is another D.O.S. capable bug that SP4 fixes if I > recall correctly. It was something with referrals. > > Note that there are several things that can be done to W2K AD > by a bright > programmer with internal access who has had a chance to sit > back and think > about it that can hurt AD. Some only require having an > account in AD, some > requiring a machine account. Won't give details here or > anywhere due to > social conscience and not willing to expose shit that could hurt me > personally but they are there... Move to W2K3 when you can as > that may help > based on some of the newer docs I have seen. > > I agree with what everyone else has said on SP4... Test test > test, then > deploy. When you do have an issue, post back here or in the > newsgroups so > others can learn of the experience. Even if you call MS and > they say, nope, > no one is having that issue. I have found that they know of > things but won't > come fully forward with them until some minimum number of > customers/people > have complained. > > > > > -----Original Message----- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On Behalf Of Myrick, Todd > (NIH/CIT) > Sent: Thursday, July 03, 2003 10:04 AM > To: '[EMAIL PROTECTED]' > Subject: RE: [ActiveDir] AD DOS vulnerability > > > Thanks Everyone for the great information. We have already > begun patching > the systems as a result of the information from the list. > > Todd Myrick > > -----Original Message----- > From: Robert Moir [mailto:[EMAIL PROTECTED] > Sent: Thursday, July 03, 2003 8:53 AM > To: [EMAIL PROTECTED] > Subject: RE: [ActiveDir] AD DOS vulnerability > > > I'd certainly concur with the idea of using the hotfix before rushing > SP4 out of the door without the usual acceptance testing but it might > be worth remembering that someone who is posting from an educational > establishment is in an environment where malicious attacks from within > the network are not just possible, or likely, but are simply > another day > at the office. > > > -----Original Message----- > > From: Tony Murray [mailto:[EMAIL PROTECTED] > > Sent: 03 July 2003 12:51 > > To: [EMAIL PROTECTED] > > Subject: Re: [ActiveDir] AD DOS vulnerability > > > > Given that this vulnerability can generally only be > exploited through > > malicious use from *within* the network (at least for most > > organisations), you may want to hold off on SP4. This will > depend on > > your assessment of the threat in your environment. SP4 was only > > released last week and it is usually prudent to wait to see if any > > major bugs appear before installing it. I'm sure you remember the > > problems introduced by Windows NT 4.0 SP6, which were then urgently > > fixed in SP6a? > > > > You could always install the hotfix first and hold off a > while on SP4. > > > > More info on this vulnerability here: > > > > http://www.coresecurity.com/common/showdoc.php?idx=351&idxseccion=10 > > > > Tony > > ---------- Original Message ---------------------------------- > > Wrom: NKMBIPBARHDMNNSKVFVWRKJVZCMHVIBGDADRZFSQHYUC > > Reply-To: [EMAIL PROTECTED] > > Date: Thu, 3 Jul 2003 11:10:44 +0100 > > > > I received notification about a vulnerability in AD this morning - > > details are at > > http://support.microsoft.com/default.aspx?kbid=319709 > > > > It looks like the recommended fix is to upgrade my DCs to SP4. > > > > I was planning to wait a lot longer before I inflict SP4 on any > > machines that I care about, but it looks like this might > force my hand > > > a bit. What's everyone else doing? > > > > Has anyone heard of *any* problems with SP4 yet? > > > > -- > > Steve Bennett, Systems Support > > Lancaster University > > > > List info : http://www.activedir.org/mail_list.htm > > List FAQ : http://www.activedir.org/list_faq.htm > > List archive: > > http://www.mail-archive.com/activedir%40mail.activedir.org/ > > List info : http://www.activedir.org/mail_list.htm > > List FAQ : http://www.activedir.org/list_faq.htm > > List archive: > > http://www.mail-archive.com/activedir%40mail.activedir.org/ > > > > > List info : http://www.activedir.org/mail_list.htm > List FAQ : http://www.activedir.org/list_faq.htm > List archive: > http://www.mail-archive.com/activedir%40mail.activedir.org/ > List info : http://www.activedir.org/mail_list.htm > List FAQ : http://www.activedir.org/list_faq.htm > List archive: > http://www.mail-archive.com/activedir%40mail.activedir.org/ > > List info : http://www.activedir.org/mail_list.htm > List FAQ : http://www.activedir.org/list_faq.htm > List archive: > http://www.mail-archive.com/activedir%> 40mail.activedir.org/ > > > > List info : > http://www.activedir.org/mail_list.htm > List FAQ : http://www.activedir.org/list_faq.htm > List archive: > http://www.mail-archive.com/activedir%> 40mail.activedir.org/ > List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/