[26227] in bugtraq
Domain password logon authentication bug in Windows 2000 Advanced
daemon@ATHENA.MIT.EDU (Ron Ray)
Thu Jul 18 23:11:37 2002
Date: 18 Jul 2002 02:42:31 -0000
Message-ID: <20020718024231.24004.qmail@mail.securityfocus.com>
Content-Type: text/plain
Content-Disposition: inline
Content-Transfer-Encoding: binary
MIME-Version: 1.0
From: Ron Ray <yarnor@attbi.com>
To: bugtraq@securityfocus.com
Domain password logon authentication bug in Windows 2000 Advanced Server
Domain Controller
SCENARIO:
You have a password in your Windows 2000 domain that you set up that
consists of 12 characters that alternate between capitals and lowercase.
You log on using your Windows 2000 professional workstation and the
password must be typed exactly. One day you use a Windows 98 client in
another department and type your password with the caps lock key down. It
then logs you onto the network. You expected your password of alternating
upper and lower case to be required.
OVERVIEW:
When a user accounts password is set on Windows 2000 Advanced Server
(which is also your domain controller running active directory), and a
case sensitive password such as "HeLLo" is used, only a Windows 2000
client must type the password exactly the same (on a default installation
with all service packs and patches applied).
The problem is that most people think that the password has to be entered
exactly that way since NT and 2000 passwords are case sensitive. If a
Windows 9x computer is used to log onto the domain using a password
of "HELLO" OR "hello" either will be validated by the domain controller.
Hence the user is tricked into believing the password is more secure than
it is.
When a 15 character password or longer is used, the Windows 9x client
cannot log on but a Windows 2000 client can. The Windows 9x logon dialog
only allows 14 characters to be entered as a maximum. If the password is
changed to 14 characters or less this bug is present.
=============================
WORDAROUND:
Require all clients in your Windows 2000 network to use NTLM2
Authentication. A detailed example is in knowledge base article #Q239869
located at http://support.microsoft.com/default.aspx?scid=kb;EN-US;q239869
Require your domain controller to only validate using NTLM2 authentication
and to NOT validate using LM or NTLM authentication. (Set Lan Manager
Authentication Level to "Send NTLMv2 response only/refuse LM & NTLM" in
the policy/security options setting). All windows 9x and NT clients must
be updated to NTLM2 first. I expected that setting the domain controller
to authenticate NTLM only should work but I could still get the Windows 9x
client to authenticate by ignoring the case of the password.
If you cannot implement the steps above because of the work involved or
the number of computers involved, I suggest incorporating punctuation,
numeric, and/or some of the 32 special ALT characters into your current
password since the case is ignored when logging on to the domain. If the
case is being ignored, then the password is also being chopped into two 7
character chunks making it even easier to be analyzed by an attacker.
Requiring 15 characters or longer on all user accounts works but then only
Windows 2000 clients can logon since the logon dialog on the other clients
will not allow you to enter longer than 14 characters.
Summary: A mixed mode of Windows 2000 and Windows 9x/NT clients needs LM
and NTLM disabled and Microsofts NTLM2 installed or the password strength
is limited to uppercase alphabetic, numeric, punctuation characters, and
32 special ALT characters (even though the password on the Windows 2000
server is upper and lower case -THIS IS THE REASON FOR POSTING THE BUG-).
NTLM is supposed to increase the password security by using upper and
lower case but my windows 9x client could still log in ignoring the case
even though the LAN Manager Authentication Level on the Domain Controller
was set to "Send NTLM response only".
The next step should be to make sure that clients do not even attempt to
trasmit LM type passwords. The knowledge base article #Q147706, located at
http://support.microsoft.com/default.aspx?scid=kb;en-us;Q147706 details
this on Windows NT.
=============================
Tested on 3 installations of Windows 2000 Advanced Server.
Systems have Service Pack 2 installed.
Server running in Mixed Mode.
Active Directory installed.
by Ron Ray, July 17, 2002
Additional comments welcome.
