Visit our newest sister site!
Hundreds of free aircraft flight manuals
Civilian • Historical • Military • Declassified • FREE!


TUCoPS :: Windows :: instal~1.txt

Win2000 System Root Directory security concern




COMMAND

    install procedure

SYSTEMS AFFECTED

    Win2000

PROBLEM

    Thomas Irlet found  following.  While  the NT 4  Installation asks
    you for  a name  of the  System-Root-Directory, you  don't get the
    same question when  installing Windows 2000.   Even worse: If  you
    try  to  rename  the  SystemRoot  (that  is  C:\WINNT)  after  the
    installation  (what  is  quite  hard  to  do),  you  can boot your
    system, but can't login in.  The problem is at least the Explorer,
    that is coded to use  C:\WINNT instead of %SystemRoot%.

    This is a security related issue, because with hardcoded names  an
    attacker knows  exactly which  path to  use (eg  attacks that need
    known path names).   In this point,  the security of  Windows 2000
    is weaker than the security of NT 4, only because some programmers
    where to lazy to translate the environment variable SystemRoot!

    You can use  the recovery console,  even if the  SystemRoot is not
    /WINNT.   But  the  installation  of  the recovery console through
    "winnt32 /cmdcons"  always installs  the files  into the Directory
    /CMDCONS.  And  you  can't  rename  this  directory because *this*
    directory is hard  coded into setupldr.bin.   And setupldr.bin  is
    called first in the boot process  and has to load all drivers  for
    the recovery console, so at least  these drivers has to be in  the
    directory /CMDCONS.  As setupldr.bin is a slightly modified ntldr,
    it should be possible to get the name of the SystemRoot, as  ntldr
    does...

SOLUTION

    If you  feel this  is a  security concern  you can  always install
    using  an  unattended  install  and  in  your  answer file specify
    targetpath =  yourchoice.   Microsoft outlines  this design change
    in Knowledge Base article Q235478.

    The path in Recovery Console is  not hard coded at all.   In fact,
    if there is more than one installation of W2K on a machine and you
    boot to Recovery Console, you will be prompted as to which OS  you
    want  to  boot  into.   Explorer  is  not hard-coded to use \WINNT
    either.  You can install W2K  into a folder other than \WINNT  two
    ways.  You can specify  the systemroot directory in an  unattended
    installation.  If  you  attempt  to  install  W2K  on a drive that
    already  has  a  \WINNT  folder,  you  will  be prompted to choose
    another location.


TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2014 AOH