Posted by Sumit Siddharth on the FD Mailing List (5/31/07) -
Windows Server 2003 can be configured to restrict the hours and days that a user may log on to a Windows Server 2003 domain. This could lead to username enumeration.
Issue:- Microsoft Windows Active Directory Username Enumeration
Criticality:- Less Critical
Impact:- Exposure of system information
Description:- It has been identified that the Microsoft windows Active Directory contains a flaw that may lead to an unauthorized information disclosure. The issue is triggered when the Windows Domain Controller returns different error messages depending on if a valid username was supplied via windows terminal services. This only happens for the user accounts that have time restrictions set and when these accounts are accessed during restricted time. This can be exploited to help enumerate valid usernames resulting in a loss of confidentiality.
Vendors response:-
"We will NOT be issuing a security update for this issue. It is likely that in a next version or service pack of the product we may consider making changes, but not before then".
Screenshots:
1. Error returned When Account is Accessed at Restricted time
2. Error returned When Account is Accessed at Permitted time
Thanks
Sid
www.notsosecure.com
--------------------------------------
Most likely the time blocking feature of Windows 2003 is only used by a small subset of overall users, therefore the severity of this issue is greatly reduced. But it is still a issue....
No comments:
Post a Comment