A core service that runs on all Windows 2000 domain controllers (but not on any other computers), contains a memory leak that can be triggered when the service attempts to process a certain type of invalid service request. By repeatedly sending such a request, an attacker could deplete the available memory on the server. If memory were sufficiently depleted, the domain controller (DC) could become unresponsive, which would prevent it from processing logon requests or issuing new Kerberos tickets. Note that an affected computer could be restored to service by rebooting.
Back to the top
Mitigating Factors
| • | Users who were already logged on and using previously-issued Kerberos tickets would not be affected by DC unavailability. |
| • | If there were multiple DCs on the domain, the unaffected computers could pick up the other computer's load. |
| • | If normal security practices have been followed, Internet users would be prevented (by use of firewalls and other measures) from levying requests directly to DCs. |
Back to the top
To resolve this problem, obtain the latest service pack for Windows 2000. For additional information, click the following article number to view the article in the
Microsoft Knowledge Base:
260910 (http://support.microsoft.com/kb/260910/EN-US/) How to Obtain the Latest Windows 2000 Service Pack
The English version of this fix should have the following file attributes or later:
Date Time Version Size File name
----------------------------------------------------------------------
6/27/2001 12:19p 5.0.2195.3787 501,520 Lsasrv.dll (56-bit)
6/27/2001 01:53p 5.0.2195.3787 355,088 Advapi32.dll
6/27/2001 01:50p 5.0.2195.3787 519,440 Instlsa5.dll
6/27/2001 01:53p 5.0.2195.3787 143,120 Kdcsvc.dll
6/26/2001 08:15p 5.0.2195.3781 197,392 Kerberos.dll
6/26/2001 08:16p 5.0.2195.3781 69,456 Ksecdd.sys
6/27/2001 12:20p 5.0.2195.3787 501,520 Lsasrv.dll
6/26/2001 08:16p 5.0.2195.3781 33,552 Lsass.exe
6/27/2001 01:53p 5.0.2195.3781 909,072 Ntdsa.dll
6/27/2001 01:53p 5.0.2195.3781 382,224 Samsrv.dll
6/27/2001 01:53p 5.0.2195.3781 128,784 Scecli.dll
6/27/2001 01:53p 5.0.2195.3649 299,792 Scesrv.dll
Back to the top
Microsoft has confirmed that this problem may cause a degree of security vulnerability in Windows 2000. This problem was first corrected in Windows 2000 Service Pack 3.
Back to the top
For more information about this vulnerability, please see the following Microsoft Web site:
For additional information about how to obtain a hotfix for Windows 2000 Datacenter Server, click the article number below
to view the article in the Microsoft Knowledge Base:
265173 (http://support.microsoft.com/kb/265173/EN-US/) The Datacenter Program and Windows 2000 Datacenter Server Product
For additional information about how to install multiple hotfixes with only one reboot, click the article number below
to view the article in the Microsoft Knowledge Base:
296861 (http://support.microsoft.com/kb/296861/EN-US/) Use QChain.exe to Install Multiple Hotfixes with One Reboot
Back to the top
Help and Support
