Microsoft Security Advisory (945713): Vulnerability in Web Proxy Auto-Discovery (WPAD
Revision Note: Advisory Updated: The registry key for the Configure a Domain Suffix Search List workaround has been corrected to the proper key of SearchList. Advisory Summary:Microsoft is investigating new public reports of a vulnerability in the way Windows resolves hostnames that do not include a fully-qualified domain name (FQDN). The technology that the vulnerability affects is Web Proxy Auto-Discovery (WPAD). Microsoft has not received any information to indicate that this vulnerability has been publicly used to attack customers, and Microsoft is not aware of any customer impact at this time. Microsoft is aggressively investigating the public reports. Customers whose domain name begins in a third-level or deeper domain, such as â??contoso.co.usâ??, or for whom the following mitigating factors do not apply, are at risk from this vulnerability.
sec_create_db(1m)sec_create_db(1m)NAME
sec_create_db - registry database creation utility
SYNOPSIS
sec_create_db {-master | -slave} -my[name] my_server_name
[-cr[eator] creator_name]
[-cu[nix_id] creator_unix_id]
[-g[roup_low_id] g_unix_id]
[-k[eyseed] keyseed]
[-ma[x_unix_id] max_unix_id]
[-o[rg_low_unix_id] o_unix_id] [-pa[ssword] default_password]
[-p[erson_low_unix_id] p_unix_id]
[-u[uid cell_uuid]
[-v[erbose]]
OPTIONS
Specifies whether the database for the master replica should be created (-master) or a database for a slave replica should be created
(-slave). All other sec_create_db options can be used with the -master option. Only the -myname, -keyseed, and -verbose options can be
used with the -slave option. Specifies the name that will be used by the Directory Service to locate the machine on which the cell's Secu-
rity Server is running. Specifies the principal name of the initial privileged user of the registry database (known as the "registry cre-
ator"). Specifies the UNIX ID of the initial privileged user of the registry database. If you do not enter the UNIX ID, it is assigned
dynamically. Specifies the starting point for UNIX IDs automatically generated by the Security Service when groups are added with the
rgy_edit command. Specifies a character string used to seed the random key generator in order to create the master key for the database
you are creating. It should be string that cannot be easily guessed. The master key is used to encrypt all account passwords. Each
instance of a replica (master or slave) has its own master key. You can change the master key using the sec_admin command. Specifies the
highest UNIX ID that can be assigned to a principal, group, or organization. Specifies the starting point for UNIX IDs automatically gen-
erated by the Security Service when organizations are added with the rgy_edit command. The default password assigned to the accounts cre-
ated by sec_create_db, including the account for the registry creator. If you do not specify a default password, -dce- is used. (Note
that the hosts/local_host/self none none, krbtgt/cell_name none none, and nobody none none accounts are not assigned the default password,
but instead a randomly generated password.) Specifies the starting point for UNIX IDs automatically generated by the Security Service when
principals are added with the rgy_edit command. Specifies the cell's UUID. If you do not enter this UUID, it is assigned dynamically.
Specifies that sec_create_db runs in verbose mode and displays all activity.
DESCRIPTION
The sec_create_db tool creates new master and slave databases in dcelocal/var/security/rgy_data on the machine from which sec_create_db is
run. Normally, these databases are created only once by the system configuration tool, dce_config. However, you can use sec_create_db if
you need to re-create the master or a slave databse from scratch. You must be root to invoke sec_create_db.
The sec_create_db -master option creates the master database on the machine on which it is run. This database is initialized with names
and accounts, some of them reserved. You must use the rgy_edit command to populate the database with objects and accounts.
When the master registry database is created, default ACL entries for registry objects are also created. These entries give the most priv-
ileged permission set to the principal named in the -cr[eator] option. If the principal is not one of the reserved names and accounts,
sec_create_db adds it as a new principal and adds an account for that new principal. If the -cr option is not used, root is the creator.
The sec_create_db -slave option creates a slave database on the machine on which it is run. This command creates a stub database on the
local node in dcelocal/var/security/rgy_data and adds the newly created replica to the master's replica list. The master then marks the
replica to be initialized when a Security Server is started on the slave's node.
The sec_create_db command also creates a registry configuration file, named dcelocal/etc/security/pe_site, that contains the network
address of the machine on which the database is created. This file supplies the binding address of the secd master server if the Naming
Service is not available.
FILES
The file containing the network address of the machine on which the security database is created. The directory in which the registry
database files are stored.
RELATED INFORMATION
Commands: secd(1m), sec_admin(1m)sec_create_db(1m)