Today is patch Tuesday for March 2010, and Microsoft has released two security bulletins for this round of updates, neither of which are deemed critical. The second bulletin addresses seven different vulnerabilities across various versions of Microsoft Office Excel.

ID: MS10-016
Title: Vulnerabilities in in Windows Movie Maker Could Allow Remote Code Execution
Microsoft Severity: Important

Summary: There is a buffer overflow in the Windows Movie Maker and MS Producer 2003 which can lead to code execution. Movie Maker 2.1 is included with Windows XP SP2 and SP3, and Movie Maker 6.0 is included with Vista. Movie Maker 2.6 is an optional download for Vista and Windows 7.

Praetorian’s Recommendation: This is deemed important instead of critical due to the user having to run content which exploits the vulnerability. A user would have to be tricked into opening a Movie Maker project file (mswmm) to be exploited. This can be updated in your next patch cycle, and is not considered urgent.

ID: MS10-017
Title: Vulnerability in Microsoft Office Excel Could Allow Remote Code Execution
Microsoft Severity: Important

Summary: This update addresses seven different vulnerabilities related to Microsoft Office Excel. Each vulnerability may affect one or more of the following versions: Office Excel 2003 SP3, Office Excel 2003 SP3, Office Excel 2007 SP1 and SP2, Office 2004 for Mac, Office 2008 for Mac, Open XML File Format Converter for Mac, Office Excel Viewer SP1 and SP2, Office Compatibility Pack for Word, Excel, and Powerpoint 2007 File Formats SP1 and SP2, and Office SharePoint Server 2007 SP1 and SP2.

Praetorian’s Recommendation: Although the same requirement exists as MS10-016 for users to open malicious files, Excel formats are more recognizable and phishing and social engineering techniques can be more successful with a known or common file format. This can be updated in your next patch cycle, but should warrant more attention than MS10-017.

Related Posts:

• iPhone 4 Ordering and Session Switching
• May’s Patch Tuesday
• Press F1 for Help, pwned.
• February’s Patch Tuesday
• Using Group Policy to Disable JavaScript in Adobe PDF Files

Microsoft published security advisory 981169 yesterday in response to the zero day vulnerability reported a few days prior. The vulnerability is in the help system and can be triggered by luring an Internet Explorer user into pressing the F1 key. Windows 2000, Windows XP SP2 & SP3, and Windows 2003 SP2 with Internet Explorer 7 and Internet Explorer 8 are all affected.

Credit to Maurycy Prodeus for publishing the initial details of the vulnerability.

Details

Using the MsgBox VBScript function in an html file, an attacker can create a dialog box prompting the user to hit F1, something that is likely not difficult to do with a message such as “Internet Explorer encountered an error, press F1 to continue”. The MsgBox function is important as its fourth argument specifies a helpfile parameter, basically which hlp or chm file to launch when the user asks for help via F1.

I created a simple help file with the word “Test” using the Microsoft Help Workshop version 4.03. In addition to this, I added the macro to launch a command prompt (cmd.exe). When I double click this file in Windows XP SP3, I get my test helpfile and the command prompt launches as well:

Cmd.exe launched with my Help file.

So we now have a .hlp file which executes code. As mentioned before, the MsgBox function has a parameter to specify a help file to launch when the user hits F1. Here is where I come back to a recurring issue of SMB traffic and allowing it outbound on firewalls. In order for the MsgBox parameter to launch the .hlp file, the attacker must point to a local file (which the user would have had to already download) or host a file on an internet accessible SMB share. If you look at the proof of concept code circulating, currently you will see the MsgBox help parameter is “\x.x.x.x\attackfile.hlp”, a pointer to a help file on an SMB share. Corporate enterprises should certainly block SMB outbound, and with this vulnerability and the several previous attacks via SMB client, users should be blocking this outbound traffic as well.

Vista, Windows 7, & Server 2008

The vulnerability does not work on Vista, Windows 7 and Windows 2008 due to Microsoft no longer including winhlp32.exe with these versions. However, there is an update which can install winhlp32 for these versions (Windows 7 Version I installed from here). I found that these updates did not launch the cmd.exe as the Windows XP version did (I also tried Prodeus’s PoC help file and it displayed but did not run calc.exe). It is possible that Microsoft removed this code execution function from these versions.

Workarounds

The warnings are avoid hitting F1 when prompted by websites. Additionally, permissions to winhlp32.exe can be modified so that it doesn’t execute. In an Active Directory environment, a Group Policy software restriction setting can prohibit winhlp32.exe from launching. As mentioned, I recommend blocking outbound SMB traffic, as there is rarely a justification for mounting a network share on the public internet. This helps with many known vulnerabilities disclosed in the past as well.

Related Posts:

• Turning an ATM into a Slot Machine
• iPhone 4 Ordering and Session Switching
• Thou Shalt Not Send Naked Pictures…To Anyone Ever
• May’s Patch Tuesday
• IEPeers – A New Internet Explorer Zero Day Vulnerability

Adobe’s implementation of Javascript in PDF documents, referred to as Acrobat JavaScript, appears to have been originally introduced based on the popularity of PDF eForms. Javascript allows for some dynamic behaviors in PDF’s, including calculations, responses to user actions, user data validation, and the integration of other dynamic capabilities.

We have previously posted instructions for users to disable JavaScript, giving them the option to enable it only when necessary. However, if you have made the decision to make this change across your enterprise or to a specific user base, this manual process is not practical. Therefore, a Group Policy Object is best to handle the task at hand.

The following is a custom ADM file

CLASS USER

CATEGORY "Adobe Reader"
     POLICY "Version 8.0 JavaScript Settings"
        KEYNAME "SOFTWARE\Adobe\Acrobat Reader\8.0\JSPrefs" 
        PART "Enable JavaScript"
            CHECKBOX
            VALUENAME "bEnableJS"
            VALUEON NUMERIC 1
            VALUEOFF NUMERIC 0
        END PART
        PART "Enable menu items JavaScript execution privileges" 
            CHECKBOX
            VALUENAME "bEnableMenuItems"
            VALUEON NUMERIC 1
            VALUEOFF NUMERIC 0
        END PART
        PART "Enable global object security policy"
            CHECKBOX
            VALUENAME "bEnableGlobalSecurity"
            VALUEON NUMERIC 1
            VALUEOFF NUMERIC 0
        END PART
        PART "Debugger: Show console on errors and messages"
            CHECKBOX
            VALUENAME "bConsoleOpen"
            VALUEON NUMERIC 1
            VALUEOFF NUMERIC 0
        END PART
    END POLICY
    POLICY "Version 9.0 JavaScript Settings"
        KEYNAME "SOFTWARE\Adobe\Acrobat Reader\9.0\JSPrefs" 
        PART "Enable JavaScript"
            CHECKBOX
            VALUENAME "bEnableJS"
            VALUEON NUMERIC 1
            VALUEOFF NUMERIC 0
        END PART
        PART "Enable menu items JavaScript execution privileges" 
            CHECKBOX
            VALUENAME "bEnableMenuItems"
            VALUEON NUMERIC 1
            VALUEOFF NUMERIC 0
        END PART
        PART "Enable global object security policy"
            CHECKBOX
            VALUENAME "bEnableGlobalSecurity"
            VALUEON NUMERIC 1
            VALUEOFF NUMERIC 0
        END PART
        PART "Debugger: Show console on errors and messages"
            CHECKBOX
            VALUENAME "bConsoleOpen"
            VALUEON NUMERIC 1
            VALUEOFF NUMERIC 0
        END PART
    END POLICY
END CATEGORY

Note: If you use the newer admx/adml for custom group policy, you can implement these settings as well. You can find the ADMX syntax guide here.

Save the custom ADM file where your GPO editor can browse to it. In Computer Configuration, Administrative Templates, right click and select Add/Remove templates. Once you add the template, if you are using XP/2003 you’ll have to ensure your filtering is setup to see “unmanaged” group policies, which are basically custom ADM entries which tattoo the registry. Under filtering, in your GPO editor, uncheck the option as shown:

gpedit

Once the ADM is added, and the filter option is cleared, you will see the configuration entries for Adobe Reader. Note in the figure there are settings for both versions 8 and 9. I had to separate these since the registry locations differ based on versions, but you can edit the ADM file to just have the version you are using.

Adobe Settings in GPO

When configuring the GPO setting, you have four options in the form of checkboxes, which mirrors the JavaScript settings in the Adobe Reader preferences pane. Here, you would choose to have the global object security policy enabled and the other three settings disabled (note that JavaScript is the first setting).

Detailed settings

With the GPO settings configured, you can link it to an organization unit (OU), a site, or a domain to deploy it. Remember that it is a user side GPO, so your user objects where the GPO is linked in AD will apply these settings.

Related Posts:

• March’s Patch Tuesday
• Press F1 for Help, pwned.
• Regular or Decaf? Tool launched to combat COFEE
• Six Bulletins in Last Patch Tuesday of 2009
• Remote SMB Exploit: Crashing Windows 7 and Server 2008

About a month ago, there was much news about the release of COFEE into the torrent wild. I even gave my two cents about the much hyped forensics toolkit which is provided to law enforcement for the purposes of easily capturing volatile data from personal computers during evidence collection. A tool to counter COFEE, aptly named DECAF, has been released as an anti-forensics tool to prevent the use of COFEE for data collection.

“We want to promote a healthy unrestricted free flow of internet traffic and show why law enforcement should not solely rely on Microsoft to automate their intelligent evidence finding,” one of the two hackers behind Decaf told The Register in explaining the objective of the project.

DECAF Details

DECAF is written in Visual Basic 2005 and consists of a single executable and an XML configuration file called decaf.exe.config which contains the application settings (an XML is also created in the user’s profile directory for each user’s specific settings).

When launched, it displays the user license agreement and asks for confirmation. When agreed, it writes the following registry entry:

Key: HKU\SOFTWARE\DECAFme
Value: AcceptedEULA
Data: true

The program then connects via HTTP to 208.68.237.165 to check the current version number and receives the following response: 1.0.0|http://www.decafme.org/|

If the application does not have a network connection, it will crash upon starting up with the following event:

EventType clr20r3, P1 decaf.exe, P2 1.0.2.0, P3 4b2679b7, P4 decaf,
 P5 1.0.2.0, P6 4b2679b7, P7 115, P8 14d, P9 
system.invalidoperationexception, P10 NIL.

Decaf Menu

I produced this initially when I had my virtual host’s network interface disabled.

Starting the monitor puts the application in detection mode, looking for the presence of COFEE. It waits for the launch of runner.exe, the launcher in COFEE, and will perform an action based on the configuration settings. It appears the tool checks the MD5 hash of runner.exe (ab9e68c7e71ebb2d6a5b8d17e9bd6b33). In addition to detecting the launch of runner.exe, the tool performs a WMI query to detect the COFEE USB thumb drive. The WMI query used for this type of action is:

SELECT * FROM __InstanceOperationEvent WITHIN 10 WHERE TargetInstance ISA "Win32_DiskDrive"

And since the thumb drive has the COFEE label, finding its presence should not be an issue.

Notification finding COFEE

When COFEE is found, a notification is sent over to decafme.org (note I changed the rip field to invalid IP addresses):

GET /decaf.php?&rip=299.297.141.45&rtime=12142009_050704PM-5&sim=false HTTP/1.1

When clicking Simulate, it mimics what would happen if coffee is found, and the sim field is set to true:

GET /decaf.php?&rip=299.297.141.45&rtime=12142009_051522PM-5&sim=true HTTP/1.1

The Configuration Menu

Lockdown Settings

In the configuration menu, there are checkboxes in the Monitor section to “Monitor USB” and “Monitor COFEE”. As discussed, these options enable checking for runner.exe and detection of the USB thumb drive. The Notification section contains options for notifying the user when detection occurs. The Actions section is the interesting part, especially editing the Lockdown Mode. Here, you can set what happens when detection occurs. Some of the options are:

• Shutdown the system
• Kill selected processes
• Disable Network, USB, CD-ROM, ports, floppy
• Clear event viewer
• Erase Data

The configuration settings are stored per user in an XML file located in:

%USERPROFILE%\local settings\application data\DECAFme.org\Decaf.exe_Url_5fokqfogt1qso5vyeabunvhsigozqvpo\1.0.2.0>

If the config for the user does not exist, the default in the launch directory is used.

Conclusion

When I first heard of the tool, I assumed it would also include detection of the default OS commands and Sysinternal utilities that COFEE typically runs, such as pslist.exe or tcpvcon.exe, however, in its current version this is not the case. An anti-forensics tool which expands into detecting the typical collection tools will affect investigations that use various toolkits (Helix, IRCR, etc), not just COFEE. However, as quoted by The Register, the DECAF brewer’s intentions are not to derail just any collection suite, but for law enforcement to expand beyond using what Microsoft provides them.

This version of decaf is still very bitter and has quite a ways to go in its development. The authors of Decaf are promising a more light-weight version or a windows service in the next release and text message and email triggers to enter lockdown mode remotely in future versions. However, Decaf provides a good example of how anti-forensic tools continue to evolve and can become serious roadblocks for digital forensic investigators.

Updates

The authors of Decaf have shut down the project and have said they are starting a forum for those interested in further discussing related matters. Considered a spoof, stunt, hoax, and many other names in the media, we have discussed the matter in the following post.

Related Posts:

• iPhone 4 Ordering and Session Switching
• May’s Patch Tuesday
• WinPE 3.0 & Forensics
• March’s Patch Tuesday
• Press F1 for Help, pwned.

• MS09-071 – Vulnerabilities in Internet Authentication Service Could Allow Remote Code Execution (974318)
• MS09-074 – Vulnerability in Microsoft Office Project Could Allow Remote Code Execution (967183)
• MS09-072 – Cumulative Security Update for Internet Explorer (976325)
• MS09-069 – Vulnerability in Local Security Authority Subsystem Service Could Allow Denial of Service (974392)
• MS09-070 – Vulnerabilities in Active Directory Federation Services Could Allow Remote Code Execution (971726)
• MS09-073 – Vulnerability in WordPad and Office Text Converters Could Allow Remote Code Execution (975539)

Severity Levels

Microsoft has a rating system for bulletins which includes: Critical, Important, Moderate, and Low. The severity levels I provide below are not directly from Microsoft. For example, MS will give an important rating when exploitation could result in compromise of availability, as in a denial of service. MS09-069 can result in a denial of service, however, the attacker must already be authenticated. For this reason I drop the severity to Low.

Bulletin Summaries

Bulletin: MS09-071
Recommended Action: Update Windows 2008 Server (32-bit and 64-bit) which have IAS configured to use PEAP with MS-CHAP v2 authentication.
My Severity Rating: Moderate, should patch the above mentioned software.

This update addresses two vulnerabilities in the Internet Authentication Service (IAS). One is an IAS memory corruption vulnerability and the second is an authentication bypass vulnerability in MS-CHAP authentication. Client operating systems contain the vulnerable code but the components are not used in a way to make them vulnerable.

Bulletin: MS09-074
Recommended Action: Update MS Project 2000 SR-1.
My Severity Rating: Important for Project Software

This update addresses a vulnerability in Microsoft Project which can cause remote code execution when a specially crafted Project file is opened.  Microsoft Project 2000 SR-1, Project 2002 SP1 and Project 2003 SP3 are affected.

Bulletin: MS09-074
Recommended Action: Update Internet Explorer
My Severity Rating Critical

This update addresses five difference vulnerabilities with at least one or more affected every version of Internet Explorer. Attackers can host malicious code which can lead remote code execution on vulnerable systems. Any issues that lead to remote execution in IE should be addressed immediately; even if you are confident about not browsing malicious sites, a known site, such as the Pentagon web site, could be used to automatically execute or redirect you to malicious code using cross-site scripting.

Bulletin: MS09-069
Recommended Action: Update Windows 2000, Windows XP and Windows 2003
My Severity Rating: Low

A vulnerability in LSASS can cause a denial of service. The attacker must be authenticated and communicating through IPSEC.

Bulletin: MS09-070
Recommended Action: Update Windows 2003 and Windows 2008 Servers
My Severity Rating: Low

This update addresses two vulnerabilities in Active Directory Federation Services, one which can be used to spoof an authenticated user and the second which can cause remote code execution. The spoofing requires access to a workstation and browser recently used by a targeted user and the remote code execution requires the attacker to have valid logon credentials to the vulnerable server.

Bulletin: MS09-069
Recommended Action: Update Windows XP SP3 and/or Office 2003 SP3
My Severity Rating: Moderate

A vulnerability in text converters in WordPad and Office can cause remote code execution. Malicious code can be hosted on a website to trigger an exploit, however, an attempt would cause a dialog box to appear prompting the user to open the file (unless the option to “Always ask before opening this type of file” has been unchecked).

Adobe

Adobe has mirrored the patch Tuesday schedule of releasing patches on the first Tuesday of the month. The severity ratings also follow the same definitions a s Microsoft’s.

Adobe has two advisories for this month:

Bulletin: APSA09-06
Recommended Action: Update Adobe Illustrator CS4 and earlier. (Avail Jan 8)
My Severity Rating: Low

A vulnerability in Illustrator CS4 and earlier could lead to remote code execution. The target is required to open a malicious eps file.

Bulletin: APSA09-17
Recommended Action: Update Adobe Flash Player and Adobe AIR
My Severity Rating: Low

Adobe states this is a critical update and it is scheduled for release today, but does not provide details of the update.

Updates

Adobe has released details on the Flash Player update. The update addresses six vulnerabilities, five which can lead to remote execution and one to information disclosure. The vulnerabilities were identified in Flash Player version 10.0.32.18 and earlier.

References

• Microsoft’s December Bulletins
• Adobe’s Security Advisories

Related Posts:

• Turning an ATM into a Slot Machine
• iPhone 4 Ordering and Session Switching
• May’s Patch Tuesday
• March’s Patch Tuesday
• Press F1 for Help, pwned.

Python code was posted today by Laurent Gaffie on his blog, demonstrating a much too easy way to remotely crash a Windows 7 or Windows Server 2008 machine. The crash is caused by sending a NetBIOS header which specifies that the SMB packet is 4 bytes smaller or larger than it actually is.

In this code sample below, you can see that the header has the length of the packet set to 9a rather than 9e (4 bytes smaller). Update: We have tested with different variations, such as 1 byte and 2 bytes off, which also caused the crash.

packet = "\x00\x00\x00\x9a" # --> length should be 9e not 9a.. 
"\xfe\x53\x4d\x42\x40\x00\x00\x00\x00\x00\x00\x00\x00\x00\x01\x00"
"\x01\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
"\x41\x00\x01\x00\x02\x02\x00\x00\x30\x82\xa4\x11\xe3\x12\x23\x41"
"\xaa\x4b\xad\x99\xfd\x52\x31\x8d\x01\x00\x00\x00\x00\x00\x01\x00"
"\x00\x00\x01\x00\x00\x00\x01\x00\xcf\x73\x67\x74\x62\x60\xca\x01"
"\xcb\x51\xe0\x19\x62\x60\xca\x01\x80\x00\x1e\x00\x20\x4c\x4d\x20"
"\x60\x1c\x06\x06\x2b\x06\x01\x05\x05\x02\xa0\x12\x30\x10\xa0\x0e"
"\x30\x0c\x06\x0a\x2b\x06\x01\x04\x01\x82\x37\x02\x02\x0a"

We also tested this by setting 9e to aa (4 bytes larger) to see if it had the same affect and it indeed it did.

A little about the “crash”. The Operating System actually freezes. There is no error message, no blue screen of death, no indication that anything has gone wrong. Even after power cycling, the event logs show no sign of a mishap, aside from the typical events generated from booting up again.

Demonstration

Our victim targets are:

1. A Windows 7 Professional workstation with latest patches.
2. A Windows Server 2008 R2 Standard Core Edition with latest patches.

On Open BSD, Mac OSX, and Linux 2.6 workstations, we ran the python code and had it listen on port 445.  I would have had a Windows server run the listening server, but SMB on Windows already listens on port 445 and for the purpose of the demonstration it was easier to run it on machines that do not listen on this port by default.  From the Windows 7 and Windows Server 2008 victim machines, we simply attempt any type of SMB connection to the bad hosts listening with the Python code. This can be done by simply doing a directory command (dir) to a non-existent share (dir \\ip-address\share).

The screenshot below shows the command window with the dir command used to attempt a connection to a host (172.17.20.139) which is running the Python code, ready to send that SMB packet over. As soon as the connection is attempted, the whole machine freezes. I had resource monitor and task manager running and every counter, even the ticking of uptime, stopped dead. In some cases, I left the machine in this state for a significant amount of time.  Also, the host was no longer pingable, so once the crash occurred, it was off the network and no longer attempting any more SMB traffic.

What is the big deal?

To simulate how an attacker could use this, we hosted a small internal web page, with a simple link to direct the user to our malicious host. Now, as seen in the image below, our link was very obvious for demonstration purposes, users can be redirected in various obfuscated ways.  Although remote elevated privileges or sensitive data theft is not part of this proof of concept, this can still be a very troublesome issue.

References

• g-laurent.blogspot.com: Windows 7 / Server 2008R2 Remote Kernel Crash
• informationweek.com: Microsoft Investigating Zero-Day Windows 7 Flaw
• darkreading.com: Microsoft Looks Into Bug That Can Crash Windows 7
• thetechherald.com: Microsoft Kernel Smash vulnerability being investigated

Update

Microsoft says this is being investigated as a possible denial of service vulnerability, but initially responded that correcting it will be handled in the first service pack updates for Windows 7 and Server 2008 R2 rather then as a "Patch Tuesday" security update.

Microsoft has posted a security advisory (977544) regarding the issue.

Related Posts:

• IEPeers – A New Internet Explorer Zero Day Vulnerability
• March’s Patch Tuesday
• Press F1 for Help, pwned.
• The “Aurora” IE Exploit Used Against Google in Action
• Windows 7 SMB Kernel Crash Video

Functional levels were first introduced when Active Directory made its appearance in Windows 2000 Server. They allowed you to run different versions of domain controllers in your environment, and when all the domain controllers were brought up to a certain version of Windows, you could raise the functional levels to gain the added features of that operating system version. Now that Windows 2008 R2 is released, it is unlikely that you will mass deploy this new operating system to your entire forest or domain. Instead, you’ll deploy a single domain controller and kick the tires, so to speak. The time will eventually come when you’ve upgraded every domain controller to R2, and at that point you can raise the functional level to 2008 R2 to take advantage of the new features.

Functional levels can be raised in domains or, as of Windows 2003 Server, in the forest, providing different features in each. They are differentiated by labeling them Domain Functional Level and Forest Functional Level.

What’s new in 2008 R2

Domain Functional Level

There are two features added when raising the domain functional level to 2008 R2. They are Authentication Mechanism Assurance and Automatic SPN Management.

Authentication mechanism assurance is meant for domains that utilize federation services (ADFS) or certificate-based authentication methods, such as smart card or token-based authentication. This mechanism adds information to the user’s kerberos token on the type of authentication used. This allows administrators to modify group membership based on how the user authenticates. For example, a user can have access to different resources if they log in with a certificate versus when they log in with just their username and password.

Automatic SPN management provides a method for managing service accounts for applications such as Exchange, SQL and IIS. In the past, regular domain accounts were used for these purposes, adding management headaches in terms of password management and service principle names (SPNs). This new feature provides the following benefits:

• A class of domain accounts can be used to manage and maintain services on local computers.
• Passwords for these accounts will be reset automatically.
• Do not have to complete complex SPN management tasks to use managed service accounts.
• Administrative tasks for managed service accounts can be delegated to non-administrators.

Forest Functional Level

There is one new feature in raising the forest functional level to Server 2008 R2, and it is long overdue. It is the Active Directory recycle bin. In the days of old, when an IT administrator or help desk operator accidentally deleted an OU filled with user or computer objects (this has happened more times than you would think), there would be a scramble to perform a restore. The delete replicates to all domain controllers, so an authoritative restore in Active Directory restore mode from a good backup using NTDSutil would be in order. With 2008 R2 forest functional level, a powershell cmd-let will undo this instantly.

Note that this feature is not enabled automatically when raising forest functional level. Additionally, you must run the following command in the Active Directory Module for Powershell.

Enable-ADOptionalFeature –Identity ‘CN=Recycle Bin Feature,CN=Optional Features,CN=Directory
Service,CN=Windows NT,CN=Services,CN=Configuration, DC=mydomain,DC=com’
–Scope ForestOrConfigurationSet –Target ‘mydomain.com’

Functional levels of previous version

The following are the previous functional levels and what features they added, as documented in Technet.

Domain Functional Levels:

Windows 2000 Native:

• Universal groups are enabled for both distribution groups and security groups.
• Group nesting.
• Group conversion is enabled, which makes conversion between security groups and distribution groups possible.
• Security identifier (SID) history.

Windows Server 2003

• The availability of the domain management tool, Netdom.exe, to prepare for domain controller rename.
• Update of the logon time stamp. The lastLogonTimestamp attribute will be updated with the last logon time of the user or computer. This attribute is replicated within the domain.
• The ability to set the userPassword attribute as the effective password on inetOrgPerson and user objects.
• The ability to redirect Users and Computers containers. By default, two well-known containers are provided for housing computer and user/group accounts: namely, cn=Computers, and cn=Users,. This feature makes possible the definition of a new well-known location for these accounts.
• Makes it possible for Authorization Manager to store its authorization policies in Active Directory Domain Services (AD DS).
• Includes constrained delegation so that applications can take advantage of the secure delegation of user credentials by means of the Kerberos authentication protocol. Delegation can be configured to be allowed only to specific destination services.
• Supports selective authentication, through which it is possible to specify the users and groups from a trusted forest who are allowed to authenticate to resource servers in a trusting forest.

Windows Server 2008

• Distributed File System (DFS) Replication support for SYSVOL, which provides more robust and detailed replication of SYSVOL contents.
• Advanced Encryption Services (AES 128 and 256) support for the Kerberos authentication protocol.
• Last Interactive Logon Information, which displays the time of the last successful interactive logon for a user, from what workstation, and the number of failed logon attempts since the last logon.
• Fine-grained password policies (FGPP), which make it possible for password and account lockout policies to be specified for users and global security groups in a domain.

Forest Functional Levels:

Windows 2000:

There were no forest functional levels, just domain.

Windows Server 2003:

• Forest trust.
• Domain rename.
• Linked-value replication (changes in group membership store and replicate values for individual members instead of replicating the entire membership as a single unit). This change results in lower network bandwidth and processor usage during replication and eliminates the possibility of lost updates when different members are added or removed concurrently at different domain controllers.
• The ability to deploy a read-only domain controller (RODC) that runs Windows Server 2008.
• Improved Knowledge Consistency Checker (KCC) algorithms and scalability. The Intersite Topology Generator (ISTG) uses improved algorithms that scale to support forests with a greater number of sites than can be supported at the Windows 2000 forest functional level. The improved ISTG election algorithm is a less intrusive mechanism for choosing the ISTG at the Windows 2000 forest functional level.
• An improved ISTG algorithm (better scaling of the algorithm that the ISTG uses to connect all sites in the forest).
• The ability to create instances of the dynamic auxiliary class called dynamicObject in a domain directory partition.
• The ability to convert an inetOrgPerson object instance into a User object instance, and the reverse.
• The ability to create instances of the new group types, called application basic groups and Lightweight Directory Access Protocol (LDAP) query groups, to support role-based authorization.
• Deactivation and redefinition of attributes and classes in the schema.

Windows Server 2008:

No forest functional level changes occurred from Windows 2003 to Windows 2008.

Related Posts:

• iPhone 4 Ordering and Session Switching
• May’s Patch Tuesday
• March’s Patch Tuesday
• Press F1 for Help, pwned.
• Using Group Policy to Disable JavaScript in Adobe PDF Files