lukeandmaxMemberMay 23, 2005 at 8:50 am #103939
Hello Everyone (actually I should have said “Hello Authenticated Users!”)
As promised, here we are with our latest discover. The reason why we expected so much before posting this message is because we wanted to do more tests.
I really don’t know where to start from. Let say that some weeks ago we were talking about security in Active Directory DACLS, and we made some considerations about delegating administration of user accounts in OUs. Background: we are very, veeeery paranoid regarding security :-)
We made up with a particular issue: for example, when you need to delegate administration of user account contained “Business Users” OU and all sub OUs, dacls must be modified in order to allow Creation and Deletion of User User Objects + Full Control over User Objects, that is the standard permissions added by Delegation Wizards.
Well the question is …. what if Exchange is present on the Enterprise? (we are talking about 1 forest with empty root domain + 19 child domains, with very large helpdesk center).
If Exchange is present and, for example, I delegate user account administration to “Helpdesk Users Dept”, every member of this group will get Full Control over User Objects contained in “Business Users”; Full Control also includes SEND AS permission, which may not be feasible for my organization. So we thought: why don’t we remove Send As permission by denying explicitely?…… been there, done that.
Wait a moment! Let us think…. Even if I have been denied Send As Permission, I am member still of “Helpdesk Users Dept” so I have FC, that includes “Modify Permissions”, so I can change it again and remove Send As Denial.
Well here we are once again: let’s explicitely deny Modify Permissions on User Objects to “Helpdesk Users Dept”.
After this, we want to verify these new permissions work. So we logged on XP workstation with user account member of “Helpdesk Users Dept”, opened ADUC, clicked on Business Users OU, created a user account, then rightclick on user account/properties/security/advanced in order to view user’s DACLS, and…..
LSASS Crashed on DC! Deadlock condition and reboot DC in 30 seconds (error code -1073741819)
We reproduced the problem in another domain and ….
LSASS Crashed again!!!!
Also, another try: creation of user account, go ahead during creation and used a non-compliant 5 chars, password (domain sets min 12 chars), go ahead, received message that password is not compliant and….
LSASS Crashed again!!! (that’s because the user was created but not confirmed, so it tried to delete the user object!, in fact after reboot the user account was still there but disabled )
So guys… have fun
Luke & Max
PS: it seems that SP1 patched this bug. I’ve tried it right now and it does not crash.
You must be logged in to reply to this topic.