COMMAND

	Active Directory \"Group Policy\" updates cas be locked

SYSTEMS AFFECTED

	 Microsoft Windows 2000 Server 

	 Microsoft Windows 2000 Advanced Server 

	 Microsoft Windows 2000 Datacenter Server 

	

PROBLEM

	In Microsoft Security Bulletin [MS02-016] :
	 

	http://microsoft.com/technet/treeview/default.asp?url=/technet/security/bulletin/MS02-016.asp

	

	

	--snipp--
	

	When a machine or user logs onto  the  domain,  it  reads  the  GPO  and
	applies the settings it contains.
	

	An attacker would likely exploit  the  vulnerability  by  first  logging
	onto the domain normally, and then opening the Group Policy  files  with
	exclusive read access. She could then log  onto  the  network  a  second
	time. Because the policy files would be locked, the second  logon  would
	occur without Group Policy being applied.  The  result  would  be  that,
	although all previous Group Policy settings on the second machine  would
	remain in force, any new policy  settings  would  not  be  applied.  The
	attacker’s second session would take place  using  what  policy
	settings had most recently been applied.
	

	The effect wouldn\'t be limited only to the  attacker.  Any  other  user
	who happened to log onto the network while the Group Policy  files  were
	locked would also do so without new policy settings being applied.
	

	--snapp--

SOLUTION

	Microsoft Windows 2000 Server and Advanced Server:
	

	http://www.microsoft.com/Downloads/Release.asp?ReleaseID=36844 

	

	

	Microsoft Windows 2000  Datacenter  Server:  Patches  for  Windows  2000
	Datacenter Server are hardware-specific and available from the  original
	equipment manufacturer.