Article ID: 294391
Article Last Modified on 9/26/2005
APPLIES TO
- Microsoft Windows 2000 Service Pack 1
- Microsoft Windows 2000 Service Pack 2
- Microsoft Windows 2000 Advanced Server
- Microsoft Windows 2000 Advanced Server
This article was previously published under Q294391
SYMPTOMS
A core service that runs on all Windows 2000 domain controllers (but not on any other computers), contains a memory leak that can be triggered when the service attempts to process a certain type of invalid service request. By repeatedly sending such a request, an attacker could deplete the available memory on the server. If memory were sufficiently depleted, the domain controller (DC) could become unresponsive, which would prevent it from processing logon requests or issuing new Kerberos tickets. Note that an affected computer could be restored to service by rebooting.
Mitigating Factors
- Users who were already logged on and using previously-issued Kerberos tickets would not be affected by DC unavailability.
- If there were multiple DCs on the domain, the unaffected computers could pick up the other computer's load.
- If normal security practices have been followed, Internet users would be prevented (by use of firewalls and other measures) from levying requests directly to DCs.
RESOLUTION
To resolve this problem, obtain the latest service pack for Windows 2000. For additional information, click the following article number to view the article in the Microsoft Knowledge Base:
260910 How to Obtain the Latest Windows 2000 Service Pack
The English version of this fix should have the following file attributes or later:
Date Time Version Size File name ---------------------------------------------------------------------- 6/27/2001 12:19p 5.0.2195.3787 501,520 Lsasrv.dll (56-bit) 6/27/2001 01:53p 5.0.2195.3787 355,088 Advapi32.dll 6/27/2001 01:50p 5.0.2195.3787 519,440 Instlsa5.dll 6/27/2001 01:53p 5.0.2195.3787 143,120 Kdcsvc.dll 6/26/2001 08:15p 5.0.2195.3781 197,392 Kerberos.dll 6/26/2001 08:16p 5.0.2195.3781 69,456 Ksecdd.sys 6/27/2001 12:20p 5.0.2195.3787 501,520 Lsasrv.dll 6/26/2001 08:16p 5.0.2195.3781 33,552 Lsass.exe 6/27/2001 01:53p 5.0.2195.3781 909,072 Ntdsa.dll 6/27/2001 01:53p 5.0.2195.3781 382,224 Samsrv.dll 6/27/2001 01:53p 5.0.2195.3781 128,784 Scecli.dll 6/27/2001 01:53p 5.0.2195.3649 299,792 Scesrv.dll
STATUS
Microsoft has confirmed that this problem may cause a degree of security vulnerability in Windows 2000. This problem was first corrected in Windows 2000 Service Pack 3.
MORE INFORMATION
For more information about this vulnerability, please see the following Microsoft Web site:
For additional information about how to obtain a hotfix for Windows 2000 Datacenter Server, click the article number below to view the article in the Microsoft Knowledge Base:
265173 The Datacenter Program and Windows 2000 Datacenter Server Product
For additional information about how to install multiple hotfixes with only one reboot, click the article number below to view the article in the Microsoft Knowledge Base:
296861 Use QChain.exe to Install Multiple Hotfixes with One Reboot
Additional query words: denial of dos security_patch kbWin2000srp1
Keywords: kbbug kbfix kbwin2000presp3fix kbgraphxlinkcritical kbqfe kbwin2000sp3fix kbenv kbsecurity kbsechack kbhotfixserver KB294391