[cifs-protocol] Please clarify LSA and OsVersion behaviour in MS-NRPC (SRX090727600015)

Wed Sep 2 16:09:49 MDT 2009

Andrew,

   We confirmed that Windows server 2008 and later systems addressed the problem by implementing validation of the DNSHostName and SPN in NetrLogonGetDomainInfo to enforce the same constraints as specified in section 3.1.1.5.3.1.1.2(dNSHostName) and 3.1.1.5.3.1.1.4(servicePrincipalName) in MS-ADTS.   Therefore you should follow these rules to match the Windows behaviors.

   Please let us know if you have further questions.

Thanks!

--------------------------------------------------------------------
Hongwei  Sun - Sr. Support Escalation Engineer
DSC Protocol  Team, Microsoft
hongweis at microsoft.com
Tel:  469-7757027 x 57027
---------------------------------------------------------------------

-----Original Message-----
From: cifs-protocol-bounces at cifs.org [mailto:cifs-protocol-bounces at cifs.org] On Behalf Of Andrew Bartlett
Sent: Tuesday, August 25, 2009 7:35 PM
To: Bill Wesse
Cc: pfif at tridgell.net; cifs-protocol at samba.org; Matthias Dieter Wallnöfer
Subject: Re: [cifs-protocol] Please clarify LSA and OsVersion behaviour in MS-NRPC (SRX090727600015)

On Tue, 2009-08-25 at 07:04 -0700, Bill Wesse wrote:
> Good morning Andrew. Thanks for your feedback. I have interpolated available information below.
>
> >> Andrew - I think I might have missed a previous email of yours. If so, I offer my apologies.
> >>
> >> The actual Windows behavior is - as Matthias noted previously - 
> >> that NetrLogonGetDomainInfo bypasses the servicePrincipalName 
> >> constraints (which are documented in [MS-ADTS] 3.1.1.5.3.1.1.4).
> >
> >OK, When will this security bug be addressed?  I thought I saw a difference in this behaviour for Windows 2008 - >honestly I was expecting 'Windows 2008 fixed this' as your reply.
>
> This is currently 'work-in-progress', and I will update you as soon as I have information. My understanding is that this is not an issue with releases after Windows 2003 (which matches with your comments concerning Windows 2008).

Great.  Can you give me the exact rules as they apply to Windows 2008 then?  I can work from them to fix this up to match Windows 2008 behaviour (which was my original goal, but wasn't what Matthias wrote the code to match).

> >> We are currently working on which document this should be addressed 
> >> in ([MS-ADTS] or [MS-NRPC]). I expect that [MS-NRPC] is not the 
> >> correct place, since SPN validation is carried out by Active 
> >> Directory, outside the scope of the NetLogon protocol. I do not yet 
> >> have any information concerning whether or not any product bugs 
> >> will be filed, but I have alerted the appropriate folks here at 
> >> Microsoft. That may impact any forthcoming Windows Behavior notes.
>
> >OK.  I would appreciate an update on what the expected long-term 
> >behaviour of Microsoft products will be, so we >know what we must 
> >emulate.  (Oh the joys of bug-for-bug compatibility)
>
> Some of this will depend on Windows 2003 and earlier bug/fix details. I will keep you advised!
>
> >Thanks for the detail.  I look forward to being able to use it some 
> >day :-)
>
> My pleasure!

Thanks,

Andrew Bartlett

--
Andrew Bartlett
http://samba.org/~abartlet/
Authentication Developer, Samba Team           http://samba.org
Samba Developer, Cisco Inc.