SYMPTOMS
There is a security vulnerability that could let an attacker prevent Group Policy from being applied in a Windows 2000-based domain.
Domain administrators can use Group Policy to specify settings (such as security settings, desktop settings, and programs that can be installed) for groups of computers and users on a network. Blocking the policy might let an attacker retain older policy settings instead of being subject to any new policies.
This vulnerability is subject to several limitations:
- If any Group Policy settings were applied during previous sessions, they remain in force. Only new policies are blocked.
- The vulnerability could exploited only by a legitimate network user.
- While an attack is in progress, an administrator could determine the identity of the attacker.
- The vulnerability does not let the attacker log on to any
other user accounts, or gain membership in any other user groups.
- The vulnerability does not provide any opportunity for the
attacker to change the network's group policies. The attacker can only
temporarily block their application.
RESOLUTION
To resolve this problem, obtain the latest service pack for Windows 2000. For additional information, click the following article number to view the article in the Microsoft Knowledge Base:
260910 How to obtain the latest Windows 2000 service pack
The following file is available for download from the Microsoft Download Center:
NOTE: This patch can only be installed on systems running Windows 2000 Service Pack 2.
Release Date: April 4, 2002
For additional information about how to download Microsoft Support files, click the following article number to view the article in the Microsoft Knowledge Base:
119591 How to Obtain Microsoft Support Files from Online Services
Microsoft scanned this file for viruses. Microsoft used the most current virus-detection software that was available on the date that the file was posted. The file is stored on security-enhanced servers that help to prevent any unauthorized changes to the file.
Note Patches for Microsoft Windows 2000 Datacenter Server are hardware-specific. Patches for Windows 2000 Datacenter Server are available from the original equipment manufacturer (OEM).
The English version of this fix should have the following
file attributes or later:
Date Time Version Size File name
--------------------------------------------------------
04-Feb-2002 12:27 5.00.2195.4888 373,008 Netlogon.dll
13-Feb-2002 17:54 5.00.2195.4888 245,104 Srv.sys
04-Feb-2002 12:26 5.00.2195.4888 75,024 Srvsvc.dll
Additional files that are included in this patch because of dependencies:
Date Time Version Size File name
---------------------------------------------------------
26-Feb-2002 12:14 5.00.2195.4959 123,664 Adsldp.dll
29-Jan-2002 16:52 5.00.2195.4851 130,832 Adsldpc.dll
29-Jan-2002 16:52 5.00.2195.4016 62,736 Adsmsext.dll
29-Jan-2002 16:52 5.00.2195.4882 356,624 Advapi32.dll
29-Jan-2002 16:52 5.00.2195.4874 135,440 Dnsapi.dll
29-Jan-2002 16:52 5.00.2195.4874 95,504 Dnsrslvr.dll
26-Feb-2002 12:21 5.00.2195.4848 521,488 Instlsa5.dll
26-Feb-2002 12:14 5.00.2195.4951 145,680 Kdcsvc.dll
26-Nov-2001 16:33 5.00.2195.4680 199,440 Kerberos.dll
07-Feb-2002 11:35 5.00.2195.4914 71,024 Ksecdd.sys
16-Jan-2002 15:02 5.00.2195.4848 503,568 Lsasrv.dll
16-Jan-2002 15:02 5.00.2195.4848 33,552 Lsass.exe
07-Dec-2001 16:05 5.00.2195.4745 107,280 Msv1_0.dll
26-Feb-2002 12:14 5.00.2195.4917 306,960 Netapi32.dll
26-Feb-2002 12:14 5.00.2195.4960 916,752 Ntdsa.dll
29-Jan-2002 16:52 5.00.2195.4847 388,368 Samsrv.dll
29-Jan-2002 16:52 5.00.2195.4874 128,784 Scecli.dll
26-Feb-2002 12:14 5.00.2195.4968 299,792 Scesrv.dll
30-May-2001 01:03 5.00.2195.3649 3,584 Spmsg.dll
29-Jan-2002 16:52 5.00.2195.4600 48,400 W32time.dll
06-Nov-2001 11:43 5.00.2195.4600 56,592 W32tm.exe
26-Feb-2002 12:14 5.00.2195.4921 125,712 Wldap32.dll
16-Jan-2002 15:02 5.00.2195.4848 503,568 Lsasrv.dll