Domain password logon authentication bug in Windows 2000 Advanced Server Domain Controller SCENARIO: You have a password in your Windows 2000 domain that you set up that consists of 12 characters that alternate between capitals and lowercase. You log on using your Windows 2000 professional workstation and the password must be typed exactly. One day you use a Windows 98 client in another department and type your password with the caps lock key down. It then logs you onto the network. You expected your password of alternating upper and lower case to be required. OVERVIEW: When a user accounts password is set on Windows 2000 Advanced Server (which is also your domain controller running active directory), and a case sensitive password such as "HeLLo" is used, only a Windows 2000 client must type the password exactly the same (on a default installation with all service packs and patches applied). The problem is that most people think that the password has to be entered exactly that way since NT and 2000 passwords are case sensitive. If a Windows 9x computer is used to log onto the domain using a password of "HELLO" OR "hello" either will be validated by the domain controller. Hence the user is tricked into believing the password is more secure than it is. When a 15 character password or longer is used, the Windows 9x client cannot log on but a Windows 2000 client can. The Windows 9x logon dialog only allows 14 characters to be entered as a maximum. If the password is changed to 14 characters or less this bug is present. ============================= WORDAROUND: Require all clients in your Windows 2000 network to use NTLM2 Authentication. A detailed example is in knowledge base article #Q239869 located at http://support.microsoft.com/default.aspx?scid=kb;EN-US;q239869 Require your domain controller to only validate using NTLM2 authentication and to NOT validate using LM or NTLM authentication. (Set Lan Manager Authentication Level to "Send NTLMv2 response only/refuse LM & NTLM" in the policy/security options setting). All windows 9x and NT clients must be updated to NTLM2 first. I expected that setting the domain controller to authenticate NTLM only should work but I could still get the Windows 9x client to authenticate by ignoring the case of the password. If you cannot implement the steps above because of the work involved or the number of computers involved, I suggest incorporating punctuation, numeric, and/or some of the 32 special ALT characters into your current password since the case is ignored when logging on to the domain. If the case is being ignored, then the password is also being chopped into two 7 character chunks making it even easier to be analyzed by an attacker. Requiring 15 characters or longer on all user accounts works but then only Windows 2000 clients can logon since the logon dialog on the other clients will not allow you to enter longer than 14 characters. Summary: A mixed mode of Windows 2000 and Windows 9x/NT clients needs LM and NTLM disabled and Microsofts NTLM2 installed or the password strength is limited to uppercase alphabetic, numeric, punctuation characters, and 32 special ALT characters (even though the password on the Windows 2000 server is upper and lower case -THIS IS THE REASON FOR POSTING THE BUG-). NTLM is supposed to increase the password security by using upper and lower case but my windows 9x client could still log in ignoring the case even though the LAN Manager Authentication Level on the Domain Controller was set to "Send NTLM response only". The next step should be to make sure that clients do not even attempt to trasmit LM type passwords. The knowledge base article #Q147706, located at http://support.microsoft.com/default.aspx?scid=kb;en-us;Q147706 details this on Windows NT. ============================= Tested on 3 installations of Windows 2000 Advanced Server. Systems have Service Pack 2 installed. Server running in Mixed Mode. Active Directory installed. by Ron Ray, July 17, 2002 Additional comments welcome.
