This morning we released security bulletin MS10-086 to address a vulnerability in Windows failover disk clustering. Exposure to this vulnerability will only occur if Failover Clustering is installed. Failover Clustering is supported on Windows Server 2008 R2 Enterprise, Windows Server 2008 R2 Datacenter, Windows Server 2008 R2 Hyper-V, and Windows Server 2008 R2 Storage Server editions. However, on these platforms, Failover Clustering is not enabled by default.
In a normal scenario when hard disks are added to a machine the default permissions on administrative shares (C$, Admin$, etc.) only allow administrators to access them. This vulnerability will set the permissions on administrative shares for new shared cluster disks, created via the failover cluster manager UI, to everyone full control. This could allow for unauthorized access to administrative shares.
By default, affected editions of Windows Server 2008 R2 are not impacted by this vulnerability. This vulnerability only manifests itself when hard disks are added to a failover cluster. When an administrator creates a failover cluster disk in the Failover Cluster Manager UI, the default permissions on the administrative shares are set to allow everyone full control. Even though permissions on the shared cluster are set to allow everyone full control, NTFS Access Control Lists (ACLs) are still respected. By default, when formatting a partition, NTFS defaults to granting BUILTIN\Authenticated Users read, write, and modify permissions. If an administrator has manually configured ACLs on the entire drive, or selected folders/files, those ACLs are still properly enforced. All non-clustered hard disks on the system maintain the correct share permissions.
When installing a new failover cluster, please use the following steps to help ensure that your administrative shares on failover cluster disks are properly permissioned.
Administrator privileges are required to complete this procedure. To learn more about using the appropriate accounts and group memberships, see the TechNet Library article, Local and Domain Default Groups.
Install the Failover Clustering feature:
If you recently installed Windows Server 2008 R2 on the server and the Initial Configuration Tasks interface is displayed, under Customize This Server, click Add features and Proceed to Step 3. If Initial Configuration Tasks is not displayed, add the feature through Server Manager: In the Add Features Wizard, click Failover Clustering, and then click Install. When the wizard finishes, close it. Install security update KB2294255. Repeat the process for each server that you want to include in the cluster.
If you recently installed Windows Server 2008 R2 on the server and the Initial Configuration Tasks interface is displayed, under Customize This Server, click Add features and Proceed to Step 3.
If Initial Configuration Tasks is not displayed, add the feature through Server Manager:
In the Add Features Wizard, click Failover Clustering, and then click Install.
When the wizard finishes, close it.
Install security update KB2294255.
Repeat the process for each server that you want to include in the cluster.
After completing this procedure, any new clusters you create will not be affected by this vulnerability.
Microsoft has made security assurances with respect to administrative privileges in general, and customers have come to expect that the permissions on administrative shares be set correctly by default. A security assurance is embodied in either a security feature or a product feature/function that customers expect will offer a consistent level of security protection. In order to uphold this expectation, and to enable customers to rely on the integrity of this Windows feature, a security update has been issued. While the actual severity rating of this vulnerability is only Moderate, depending on the customer environment, the impact caused by this vulnerability could be significant. Customers should evaluate this vulnerability as it pertains to their specific environment to make the appropriate risk assessment.
Thanks to Mark Debenham for his work on this case.
Charles Weidner Microsoft Security Response Center
Update 11/10: Removed inaccurate requirement to manually set permissions after installing the update.