Active Directory fix to require significant upgrade

A key security flaw in Microsoft Corp.’s Active Directory pointed out more than 12 months ago by early adopters won’t be patched for nearly another year.

What’s more, enterprise users will have to upgrade all their directory servers, known as domain controllers, to the forthcoming “Whistler” version of Windows 2000 to activate the patch.

Observers say the security flaw, which can cause changes to user groups to be dropped before being recorded, tops the list of issues that need to be addressed in Active Directory.

Until the flaw is fixed, Microsoft says the workaround involves procedural policies for administering the directory.

The flaw centers on the requirement that administrators manage user groups as a single entity, or attribute, and not by individual user, a concept called “multi-valued attributes.” Multi-valued attributes force administrators to update an entire attribute, or list, to add or delete even a single user.

If two administrators make changes to the same list, one set of changes is tossed out during replication as part of conflict resolution.

One result could be that a user deleted from a group membership by one administrator could be returned to the group and retain group access rights and permissions due to the work of another administrator.

“We have been doing little tricks so the risk is only a local problem, and we only have a small chance of a security failure,” says a systems analyst for a large multinational oil and gas company who asked not to be identified.

The systems analyst says the trick is to centralize administration of group membership lists: “We use good people processes to work around what is a technology failure.” The systems analyst says the problem is a top security issue and “if we have to upgrade to Whistler, then that’s what we’ll do.”

But it appears not many users know that’s what they’ll have to do.

Microsoft said a year ago the issue would be resolved in a Service Pack, widely believed to be Service Pack 2, which will be released in the next few weeks.

But after the company discovered what was needed to correct the problem, the fix was added to the feature list of Whistler, which Microsoft expects to have out by year-end.

“At some point, Microsoft switched its story. The question is how many people understand this is an issue, and of those, how many understand that it won’t be fixed until Whistler. Further, how many understand that it will require all of their domain controllers to be upgraded to Whistler?” asks Neil MacDonald, an analyst with Gartner Group.

Microsoft says users are aware of the issue and pointed to a 400-word passage in a more than 1,150-page deployment guide as proof the issue has been explained to users.

But the timing of the fix has not been formally announced because details of the planned Whistler beta-test version are not publicly available.

“It sounds like another issue that might further slow the pace of enterprise migrations” to Win 2000, says Josh Canary, Win 2000 business manager for consulting firm Collective Technologies.

Microsoft, which now calls the issue “link value replication,” says prudent users are not experiencing problems.

“I don’t think this fix is something customers are shopping for or that it is holding up deployments,” says Shanen Boettcher, product manager for Win 2000. “Work on Whistler is evolutionary, and there isn’t a single feature that will force changes to configurations of domain controllers.”

Microsoft says the best way to avoid the problem is to make all group membership changes on a single domain controller, which prevents replication conflicts.