COMMAND
NTLM
SYSTEMS AFFECTED
Win2000 Sp1
PROBLEM
Following is based on a Microsoft Security Bulletin (MS00-089).
A flaw in the way that NTLM authentication operates in Windows
2000 could allow a domain account lockout policy to be bypassed
on a local Windows 2000 machine, even if the domain administrator
had set such a policy. The ability of a malicious user to avoid
the domain account lockout policy could increase the threat from
a brute force password-guessing attack. Finch Brett found this
originally.
This vulnerability only affects Windows 2000 machines that are
members of non-Windows 2000 domains. In addition, the
vulnerability only affects domain user accounts that have
previously logged into the target machine and already have cached
credentials established on that machine. If a domain account
lockout policy is in place and an attacker attempts a brute force
password-guessing attack, the domain user account will be locked
out as expected at the domain controller. However, if the
attacker is able find the correct password, the local Windows
2000 machine will log the attacker on using cached credentials in
violation of the account lockout policy. Although the attacker
would be able to log on to the local machine, he or she would not
be able to authenticate to the domain or gain access to resources
on other machines in the domain.
SOLUTION
Windows 2000 Gold is not affected by this vulnerability. Patch
availability:
http://www.microsoft.com/Downloads/Release.asp?ReleaseID=25606
Windows 2000 users connected to a Windows 2000 domain, stand
alone Windows 2000 machines, and users of NT 4.0 do not need to
take any action.
The Windows 2000 patch can be applied to systems running Windows
2000 Service Pack 1. Users of Windows 2000 Gold are not affected
and do not need to take any action. This patch will be included
in Windows 2000 Service Pack 2.