Domain password logon authentication bug in Windows 2000 Advanced Server Domain Controller

[Ron Ray <yarnor () attbi com>]

Domain password logon authentication bug in Windows 2000 Advanced Server 
Domain Controller

SCENARIO:
You have a password in your Windows 2000 domain that you set up that 
consists of 12 characters that alternate between capitals and lowercase. 
You log on using your Windows 2000 professional workstation and the 
password must be typed exactly. One day you use a Windows 98 client in 
another department and type your password with the caps lock key down. It 
then logs you onto the network. You expected your password of alternating 
upper and lower case to be required.

OVERVIEW:
When a user accounts password is set on Windows 2000 Advanced Server 
(which is also your domain controller running active directory), and a 
case sensitive password such as "HeLLo" is used, only a Windows 2000 
client must type the password exactly the same (on a default installation 
with all service packs and patches applied).

The problem is that most people think that the password has to be entered 
exactly that way since NT and 2000 passwords are case sensitive. If a 
Windows 9x computer is used to log onto the domain using a password 
of "HELLO" OR "hello" either will be validated by the domain controller. 
Hence the user is tricked into believing the password is more secure than 
it is.

When a 15 character password or longer is used, the Windows 9x client 
cannot log on but a Windows 2000 client can. The Windows 9x logon dialog 
only allows 14 characters to be entered as a maximum. If the password is 
changed to 14 characters or less this bug is present.
=============================
WORDAROUND:
Require all clients in your Windows 2000 network to use NTLM2 
Authentication. A detailed example is in knowledge base article #Q239869 
located at http://support.microsoft.com/default.aspx?scid=kb;EN-US;q239869

Require your domain controller to only validate using NTLM2 authentication 
and to NOT validate using LM or NTLM authentication. (Set Lan Manager 
Authentication Level to "Send NTLMv2 response only/refuse LM & NTLM" in 
the policy/security options setting). All windows 9x and NT clients must 
be updated to NTLM2 first. I expected that setting the domain controller 
to authenticate NTLM only should work but I could still get the Windows 9x 
client to authenticate by ignoring the case of the password.

If you cannot implement the steps above because of the work involved or 
the number of computers involved, I suggest incorporating punctuation, 
numeric, and/or some of the 32 special ALT characters into your current 
password since the case is ignored when logging on to the domain. If the 
case is being ignored, then the password is also being chopped into two 7 
character chunks making it even easier to be analyzed by an attacker.

Requiring 15 characters or longer on all user accounts works but then only 
Windows 2000 clients can logon since the logon dialog on the other clients 
will not allow you to enter longer than 14 characters.

Summary: A mixed mode of Windows 2000 and Windows 9x/NT clients needs LM 
and NTLM disabled and Microsofts NTLM2 installed or the password strength 
is limited to uppercase alphabetic, numeric, punctuation characters, and 
32 special ALT characters (even though the password on the Windows 2000 
server is upper and lower case -THIS IS THE REASON FOR POSTING THE BUG-).

NTLM is supposed to increase the password security by using upper and 
lower case but my windows 9x client could still log in ignoring the case 
even though the LAN Manager Authentication Level on the Domain Controller 
was set to "Send NTLM response only".

The next step should be to make sure that clients do not even attempt to 
trasmit LM type passwords. The knowledge base article #Q147706, located at 
http://support.microsoft.com/default.aspx?scid=kb;en-us;Q147706 details 
this on Windows NT.
=============================
Tested on 3 installations of Windows 2000 Advanced Server.
Systems have Service Pack 2 installed.
Server running in Mixed Mode.
Active Directory installed.

by Ron Ray, July 17, 2002
Additional comments welcome.