Microsoft KB Archive/318593

= MS02-016: Opening Group Policy files for exclusive read blocks policy application =

Article ID: 318593

Article Last Modified on 10/27/2006

-

APPLIES TO


 * Microsoft Windows 2000 Service Pack 1
 * Microsoft Windows 2000 Service Pack 2
 * Microsoft Windows 2000 Advanced Server
 * Microsoft Windows 2000 Advanced Server
 * Microsoft Windows 2000 Service Pack 2

-



This article was previously published under Q318593



SYMPTOMS
There is a security vulnerability that could let an attacker prevent Group Policy from being applied in a Windows 2000-based domain.

Domain administrators can use Group Policy to specify settings (such as security settings, desktop settings, and programs that can be installed) for groups of computers and users on a network. Blocking the policy might let an attacker retain older policy settings instead of being subject to any new policies.

This vulnerability is subject to several limitations:
 * If any Group Policy settings were applied during previous sessions, they remain in force. Only new policies are blocked.
 * The vulnerability could exploited only by a legitimate network user.
 * While an attack is in progress, an administrator could determine the identity of the attacker.
 * The vulnerability does not let the attacker log on to any other user accounts, or gain membership in any other user groups.
 * The vulnerability does not provide any opportunity for the attacker to change the network's group policies. The attacker can only temporarily block their application.



CAUSE
The vulnerability exists because it is possible to lock Group Policy files. This prevents other users from reading them. Without the ability to read Group Policy files, new policy settings could not be applied to the computer or to a user's session.



RESOLUTION
To resolve this problem, obtain the latest service pack for Windows 2000. For additional information, click the following article number to view the article in the Microsoft Knowledge Base:

260910 How to obtain the latest Windows 2000 service pack

The following files are available for download from the Microsoft Download Center:

English Language Version

Chinese (Simplified) Language Version

Chinese (Traditional) Language Version

Czech Language Version

Dutch Language Version

French Language Version

German Language Version

Hungarian Language Version

Italian Language Version

Japanese Language Version

Japanese NEC Language Version

Korean Language Version

Polish Language Version

Portuguese (Brazilian) Language Version

Portuguese Language Version

Russian Language Version

Spanish Language Version

Swedish Language Version

Turkish Language Version

NOTE: This patch can only be installed on systems running Windows 2000 Service Pack 2.

Release Date: April 4, 2002

For additional information about how to download Microsoft Support files, click the following article number to view the article in the Microsoft Knowledge Base:

119591 How to Obtain Microsoft Support Files from Online Services

Microsoft scanned this file for viruses. Microsoft used the most current virus-detection software that was available on the date that the file was posted. The file is stored on security-enhanced servers that help to prevent any unauthorized changes to the file. Note Patches for Microsoft Windows 2000 Datacenter Server are hardware-specific. Patches for Windows 2000 Datacenter Server are available from the original equipment manufacturer (OEM).

The English version of this fix should have the following file attributes or later:   Date         Time   Version         Size     File name 04-Feb-2002 12:27  5.00.2195.4888  373,008  Netlogon.dll 13-Feb-2002 17:54  5.00.2195.4888  245,104  Srv.sys 04-Feb-2002 12:26  5.00.2195.4888   75,024  Srvsvc.dll Additional files that are included in this patch because of dependencies:   Date         Time   Version         Size     File name -  26-Feb-2002  12:14  5.00.2195.4959  123,664  Adsldp.dll 29-Jan-2002 16:52  5.00.2195.4851  130,832  Adsldpc.dll 29-Jan-2002 16:52  5.00.2195.4016   62,736  Adsmsext.dll 29-Jan-2002 16:52  5.00.2195.4882  356,624  Advapi32.dll 29-Jan-2002 16:52  5.00.2195.4874  135,440  Dnsapi.dll 29-Jan-2002 16:52  5.00.2195.4874   95,504  Dnsrslvr.dll 26-Feb-2002 12:21  5.00.2195.4848  521,488  Instlsa5.dll 26-Feb-2002 12:14  5.00.2195.4951  145,680  Kdcsvc.dll 26-Nov-2001 16:33  5.00.2195.4680  199,440  Kerberos.dll 07-Feb-2002 11:35  5.00.2195.4914   71,024  Ksecdd.sys 16-Jan-2002 15:02  5.00.2195.4848  503,568  Lsasrv.dll 16-Jan-2002 15:02  5.00.2195.4848   33,552  Lsass.exe 07-Dec-2001 16:05  5.00.2195.4745  107,280  Msv1_0.dll 26-Feb-2002 12:14  5.00.2195.4917  306,960  Netapi32.dll 26-Feb-2002 12:14  5.00.2195.4960  916,752  Ntdsa.dll 29-Jan-2002 16:52  5.00.2195.4847  388,368  Samsrv.dll 29-Jan-2002 16:52  5.00.2195.4874  128,784  Scecli.dll 26-Feb-2002 12:14  5.00.2195.4968  299,792  Scesrv.dll 30-May-2001 01:03  5.00.2195.3649    3,584  Spmsg.dll 29-Jan-2002 16:52  5.00.2195.4600   48,400  W32time.dll 06-Nov-2001 11:43  5.00.2195.4600   56,592  W32tm.exe 26-Feb-2002 12:14  5.00.2195.4921  125,712  Wldap32.dll 16-Jan-2002 15:02  5.00.2195.4848  503,568  Lsasrv.dll



STATUS
Microsoft has confirmed that this problem may cause a degree of security vulnerability in Microsoft Windows 2000. This problem was first corrected in Windows 2000 Service Pack 3.



MORE INFORMATION
Administrators may want to apply this patch on all domain controllers. You must restart a Windows 2000-based domain controller after you install this patch. For additional information about command-line switches to install or remove this patch, click the following article number to view the article in the Microsoft Knowledge Base:

262841 Command-Line switches for Windows software update packages

For more information about this vulnerability, visit the following Microsoft Web site:

http://www.microsoft.com/technet/security/bulletin/MS02-016.mspx

Additional query words: security_patch

Keywords: kbbug kbfix kbwin2000presp3fix kbsecvulnerability kbqfe kbwin2000sp3fix kbsecurity kbsechack KB318593

-

[mailto:TECHNET@MICROSOFT.COM Send feedback to Microsoft]

© Microsoft Corporation. All rights reserved.