OT: Windows 2000 Active Directory Buggreenspun.com : LUSENET : TimeBomb 2000 (Y2000) : One Thread
"In short, Active Directory settings allow an administrator full access to any object even when the object owner explicitly denies the administrator rights. This gives the object owners a false sense of security and means confidential data cannot be kept from the administrator or anybody in the administrator's group."
Windows 2000 Active Directory Bug
By Eric J. Bowden, BugNet
Learn how rights and permissions can be changed in Active Directory -- making your data vulnerable.
In a competitively strategic move aimed at casting a pall on the launch Windows 2000, Novell published a report outlining a security hole in Microsoft's flagship operating system. While few people would argue that the timing of this report entitled "Windows 2000 Security Issue: Problems with Limiting Administrative Access" was accidental, the report does raise some serious issues with Windows 2000's Active Directory. This week, BugNet's testing verified Novell's findings. Microsoft vehemently denies that this is a security bug, stating "After assessment, Microsoft has determined that the issue raised on Friday [February 11, 2000] by Novell is not a security vulnerability. Instead, it appears to be a misunderstanding of the NT security model."
The crux of the bug is this: There are times when a company needs to secure infomration even from the network adminstrator. The problem is that Active Directory allows the administrator or anybody in the administrators group to take ownership of an object when they have been explicitly denied the right to modify the ownership of that object. This allows administrators to take ownership, modify permissions and thereby gain access to sensitive data. Whether you call it a bug or a "misunderstanding," the way Active Directory security is currently implemented, it will give network administrators the erroneous impression that sensitive data is secure.
While the extent of this bug does not expose your network resources to people outside your corporation, it will require those responsible for security to re-evaluate policies and decide who they will want to make members of the administrators group. While no patch as available at the present time, it is still important to understand how the problem manifests itself. There will be many well-intended network administrators that will explicitly deny certain permissionsonly to find out later that their data wasn't as secure as they once thought. What follows is an explanation of how to recreate the security issue reported in the Novell report.
BugNet has verified this Active Directory security bug on the "Release to Manufacturing" version of Windows 2000 Advanced Server build 5.00.2195. In a nutshell, an administrator can create an Organizational Unit (OU) and give users rights and permissions to that unit. The Microsoft security model allows a user to take ownership of this OU for control permissions to this object. Included in this user's realm of control is the abilty to deny the network admistrator access to sensitve files contained within the OU. When any network adminstrator logs in and starts the Active Directory Users and Computers utility, he will find that the properties for that Active Directory object cannot be displayed. This is as it should be, locked down and tight as a battleship! Well, not quite.
If the network adminitrator selects any other object that he still owns, and then goes back to the properties of the first OU and clicks on the Security tab, he will now get a prompt that says, "You do not have permission to view the current permission settings ... but you can make permission changes." Huh? Yes, you did read that right. Note that after clicking OK the object that was restricted now displays the object properties. Clicking OK and selecting advanced will allow the network adminstrator to take ownership away from the user and add full control for the administrator again.
In short, Active Directory settings allow an administrator full access to any object even when the object owner explicitly denies the administrator rights. This gives the object owners a false sense of security and means confidential data cannot be kept from the administrator or anybody in the administrator's group
-- Carl Jenkins (Somewherepress@aol.com), February 20, 2000
I don't see this as a big deal. An administrator is someone that a company must have absolute faith and trust in, and he should have complete access, IMHO.
Besides, I'm sure there are other ways around the security. The administrator could do a network backup/restore to move the object to a directory owned by the administraor, for example.
But if this is considered a "bug" so be it. Only 62,999 more to talk about!
Sysman, a Network Administrator. <:)=
-- Sysman (firstname.lastname@example.org), February 20, 2000.
Another little "problem" with NT -and- 2000...
Winternals' NTFS for Win98.
It's a $49 product that, when supplied with seven NT/2000 system files, grants Windows 95/98 full read/write access to NTFS partitions. The product does NOT enforce security, therefore anyone with a Win9x box that can get to an NTFS drive can look at and touch ANYTHING.
I have it. It works VERY nicely. I use it so my software development machine, which runs 8 different Windows variants, can access all partitions regardless of which OS I'm in.
If the machine has a Zip drive, what's to stop someone from making a bare WIndows installation on the disk, including the NTFS for 9x software on that disk, booting it via floppy, and reading everything on the machine? (Hope the machine has the boot order set to C first...)
O d d O n e, who knows more about how to circumvent security that he lets on...
-- OddOne (email@example.com), February 20, 2000.
Hi Carl, Sysman, Odd One,
I agree with Sysman, an Administrator MUST HAVE full access to all data on *his part* of a network. He (she) can't do their job without full access. That means a network administrator has to have the integrity -- and full knowledge -- to do the job for the network owners.
(Hi Odd One, haven't seen you around for a while.)
-- Dean -- from (almost) Duh Moyn (firstname.lastname@example.org), February 20, 2000.