Windows 2000 Denial of Service
Reported July 23, 2000 by Brandon Lay

VERSIONS EFFECTED
Windows 2000 Workstation
  • Windows 2000 Server (all editions)

    DESCRIPTION

    If the autoexec.bat file on a Windows 2000 NTFS system volume is encrypted then users will not be able to logon to that system locally. In addition, remote resource access will fail, regardless of user authority.

    The problem resides in the fact that once the autoexec.bat file has been encrypted with the Encrypting File System (EFS) it can only be decrypted by accessing the certificate of the user that encrypted the file. However, since autoexec.bat is encrypted it cannot be read, and thus the normal logon process cannot succeed.

    VENDOR RESPONSE

    On July 24th Microsoft responded to our inquiry for verification of this vulnerability, stating that further investigation was underway. While users await the company"s official response, a workaround would be to protect the root directory by adjusting ACLs to block access by unauthorized users. Microsoft"s security team points out that strict ACLs can be easily adopted by reviewing and applying the "securews" Security Configuration Manager (SCM) template provided with Windows 2000. 

    In his original post to NTBugTraq, Brandon mentioned a way to recover from this situation. Boot to the Recovery Console according to the instructions within Support Online article Q229716, then logon as Administrator and delete the encrypted autoexec.bat file.

    In addition, Martin Holden pointed out that users may set the following registry key to zero (0), which will cause Win2K to bypass autoexec.bat upon startup as described in Q185590. With that done, the file can be decrypted or removed and recreated in an unencrypted fashion.

    HKEY_CURRENT_USER\Software\Microsoft\Windows NT
    \CurrentVersion\Winlogon\ParseAutoexec

    CREDIT
    Discovered by Brandon Lay