“The Active Directory security hole, as outlined in the Novell
report, allows the administrator of department A to control access
to resources in department B even though administrator A has been
explicitly denied the right to modify the ownership of that object.
This allows administrators to take ownership and modify
permissions, and thereby gain access to sensitive data.
By following the steps in the Novell report, BugNet was able
to duplicate Novell’s findings. Even though the owner of the
OU can explicitly deny any privileges to the administrator,
including denying ownership, users from the administrative group
can still get in, change ownership, and grant themselves
permissions.
To further inflame the problem, if an administrator
inappropriately takes ownership of a network resource, the
legitimate OU owner is not immediately notified. The OU owner
could eventually find out, but only after logging in and seeing
that the object’s ownership has changed. By the time someone gets
around to this, the damage might have already been done and the
perpetrator could have already left the company. Our default
installation of Windows 2000 Advanced Server did not track
ownership changes in the Windows 2000 Event Viewer, meaning that
there is no way for a network manager to police these types of
changes except to touch every object on the network with the
administration tool.”