Article ID: 318593
Article Last Modified on 10/27/2006
APPLIES TO
- Microsoft Windows 2000 Service Pack 1
- Microsoft Windows 2000 Service Pack 2
- Microsoft Windows 2000 Advanced Server
- Microsoft Windows 2000 Advanced Server
- Microsoft Windows 2000 Service Pack 2
This article was previously published under Q318593
SYMPTOMS
There is a security vulnerability that could let an attacker prevent Group Policy from being applied in a Windows 2000-based domain.
Domain administrators can use Group Policy to specify settings (such as security settings, desktop settings, and programs that can be installed) for groups of computers and users on a network. Blocking the policy might let an attacker retain older policy settings instead of being subject to any new policies.
This vulnerability is subject to several limitations:
- If any Group Policy settings were applied during previous sessions, they remain in force. Only new policies are blocked.
- The vulnerability could exploited only by a legitimate network user.
- While an attack is in progress, an administrator could determine the identity of the attacker.
- The vulnerability does not let the attacker log on to any other user accounts, or gain membership in any other user groups.
- The vulnerability does not provide any opportunity for the attacker to change the network's group policies. The attacker can only temporarily block their application.
CAUSE
The vulnerability exists because it is possible to lock Group Policy files. This prevents other users from reading them. Without the ability to read Group Policy files, new policy settings could not be applied to the computer or to a user's session.
RESOLUTION
To resolve this problem, obtain the latest service pack for Windows 2000. For additional information, click the following article number to view the article in the Microsoft Knowledge Base:
260910 How to obtain the latest Windows 2000 service pack
The following files are available for download from the Microsoft Download Center:
English Language Version
Chinese (Simplified) Language Version
Chinese (Traditional) Language Version
Czech Language Version
Dutch Language Version
French Language Version
German Language Version
Hungarian Language Version
Italian Language Version
Japanese Language Version
Japanese NEC Language Version
Korean Language Version
Polish Language Version
Portuguese (Brazilian) Language Version
Portuguese Language Version
Russian Language Version
Spanish Language Version
Swedish Language Version
Turkish Language Version
NOTE: This patch can only be installed on systems running Windows 2000 Service Pack 2.
Release Date: April 4, 2002
For additional information about how to download Microsoft Support files, click the following article number to view the article in the Microsoft Knowledge Base:
119591 How to Obtain Microsoft Support Files from Online Services
Microsoft scanned this file for viruses. Microsoft used the most current virus-detection software that was available on the date that the file was posted. The file is stored on security-enhanced servers that help to prevent any unauthorized changes to the file. Note Patches for Microsoft Windows 2000 Datacenter Server are hardware-specific. Patches for Windows 2000 Datacenter Server are available from the original equipment manufacturer (OEM).
The English version of this fix should have the following file attributes or later:
Date Time Version Size File name -------------------------------------------------------- 04-Feb-2002 12:27 5.00.2195.4888 373,008 Netlogon.dll 13-Feb-2002 17:54 5.00.2195.4888 245,104 Srv.sys 04-Feb-2002 12:26 5.00.2195.4888 75,024 Srvsvc.dll
Additional files that are included in this patch because of dependencies:
Date Time Version Size File name --------------------------------------------------------- 26-Feb-2002 12:14 5.00.2195.4959 123,664 Adsldp.dll 29-Jan-2002 16:52 5.00.2195.4851 130,832 Adsldpc.dll 29-Jan-2002 16:52 5.00.2195.4016 62,736 Adsmsext.dll 29-Jan-2002 16:52 5.00.2195.4882 356,624 Advapi32.dll 29-Jan-2002 16:52 5.00.2195.4874 135,440 Dnsapi.dll 29-Jan-2002 16:52 5.00.2195.4874 95,504 Dnsrslvr.dll 26-Feb-2002 12:21 5.00.2195.4848 521,488 Instlsa5.dll 26-Feb-2002 12:14 5.00.2195.4951 145,680 Kdcsvc.dll 26-Nov-2001 16:33 5.00.2195.4680 199,440 Kerberos.dll 07-Feb-2002 11:35 5.00.2195.4914 71,024 Ksecdd.sys 16-Jan-2002 15:02 5.00.2195.4848 503,568 Lsasrv.dll 16-Jan-2002 15:02 5.00.2195.4848 33,552 Lsass.exe 07-Dec-2001 16:05 5.00.2195.4745 107,280 Msv1_0.dll 26-Feb-2002 12:14 5.00.2195.4917 306,960 Netapi32.dll 26-Feb-2002 12:14 5.00.2195.4960 916,752 Ntdsa.dll 29-Jan-2002 16:52 5.00.2195.4847 388,368 Samsrv.dll 29-Jan-2002 16:52 5.00.2195.4874 128,784 Scecli.dll 26-Feb-2002 12:14 5.00.2195.4968 299,792 Scesrv.dll 30-May-2001 01:03 5.00.2195.3649 3,584 Spmsg.dll 29-Jan-2002 16:52 5.00.2195.4600 48,400 W32time.dll 06-Nov-2001 11:43 5.00.2195.4600 56,592 W32tm.exe 26-Feb-2002 12:14 5.00.2195.4921 125,712 Wldap32.dll 16-Jan-2002 15:02 5.00.2195.4848 503,568 Lsasrv.dll
STATUS
Microsoft has confirmed that this problem may cause a degree of security vulnerability in Microsoft Windows 2000. This problem was first corrected in Windows 2000 Service Pack 3.
MORE INFORMATION
Administrators may want to apply this patch on all domain controllers. You must restart a Windows 2000-based domain controller after you install this patch. For additional information about command-line switches to install or remove this patch, click the following article number to view the article in the Microsoft Knowledge Base:
262841 Command-Line switches for Windows software update packages
For more information about this vulnerability, visit the following Microsoft Web site:
Additional query words: security_patch
Keywords: kbbug kbfix kbwin2000presp3fix kbsecvulnerability kbqfe kbwin2000sp3fix kbsecurity kbsechack KB318593