DOCUMENT:Q184017 TITLE :Administrators can Display Contents of Service Account Passwords PRODUCT :Microsoft Windows NT PROD/VER:3.51 4.00 OPER/SYS:WINDOWS KEYWORDS:kbbug4.00 kbbug3.51 kbfix4.00 kbfile ntsecurity --------------------------------------------------------------------------- The information in this article applies to: - Microsoft Windows NT Workstation versions 3.51 and 4.0 - Microsoft Windows NT Server versions 3.51 and 4.0 - Microsoft Windows NT Server, Enterprise Edition version 4.0 - Microsoft BackOffice Small Business Server version 4.0 --------------------------------------------------------------------------- SYMPTOMS ======== A program is available on the Internet that allows a local Administrator, with full control of a Windows NT system, to use APIs published in the Win32 software development kit (SDK) for Windows NT to display the contents of security information stored by the Local Security Authority (LSA) in a form called LSA Secrets. LSA Secrets are used to store information such as the passwords for service accounts used to start services under an account other than local System. CAUSE ===== This is by design. Members of the local Administrators groups are trusted users that have the ability to access any information that can also be accessed by the operating system itself. RESOLUTION ========== The updates in this Windows NT 4.0 hotfix provide the following additional protection for the LSA Secret data: - Additional encryption for the LSA Secrets, which provides protection for this information when stored on backup tapes, the Emergency Repair Disk, or other registry backups. For maximum protection, you should also enable the System Key option. For information on System Key (Syskey.exe) functionality, please refer to the following article in the Microsoft Knowledge Base: ARTICLE-ID: Q143475 TITLE : Windows NT System Key Permits Strong Encryption of the SAM - The value of the LSA private data is not returned to remote clients over the network. - Calls to the Win32 APIs will not return LSA private data used for service accounts and other system components to unauthorized applications (non-system components). - This update includes a change to the privilege needed to open the Security Event log. Applications that open this log on systems running with this update installed fail unless the security privilege (SE_SECURITY_NAME) is enabled. Before You Apply The Hotfix --------------------------- Because this hotfix makes a modification to the on-disk storage of the LSA data information, Microsoft does not recommend that it be uninstalled. Perform the following steps to ease the transition back to a pre-LSA2-fix configuration in case you experience problems with the hotfix: 1. Perform a Full System Backup. 2. Run Rdisk /s. Using the /s command-line switch with Rdisk.exe causes the Sam._ and Security._ databases to be copied to the %Systemroot%\Repair folder. 3. Create a temporary folder under the %Systemroot% folder called Lsabackout. 4. Copy the following files from the %Systemroot\System32 folder to the %Systemroot%\Lsabackout folder as they are updated by LSA2-fix: Eventlog.dll Lsasrv.dll Msaudite.dll Msv1_0.dll Netcfg.dll Samlib.dll Samsrv.dll Services.exe Srvmgr.exe Xactsrv.dll 5. Create an updated Emergency Repair Disk (ERD) which updates the on-disk SAM and Registry information in the %Systemroot%\System32\Config folder. Microsoft has released a fully supported hotfix that provides additional protection of sensitive system information stored as LSA secrets. This fix has not been fully regression-tested and should be applied only to systems experiencing this specific problem. To resolve this problem immediately, download the fix as described below. If you are not severely impacted by this specific problem, Microsoft recommends that you wait for the next Windows NT service pack that contains this fix. For a complete list of Microsoft Technical Support phone numbers and information on support costs, please go to the following address on the World Wide Web: http://support.microsoft.com/support/supportnet/default.asp This fix should have the following file attributes: Date Time Size File Name Platform ------------------------------------------------------------ 02/19/98 03:20p 51,472 Eventlog.dll x86 04/27/98 12:48p 154,896 Lsasrv.dll x86 04/25/98 07:45p 18,704 Msaudite.dll x86 05/08/98 07:42p 40,208 Msv1_0.dll x86 05/13/98 04:32p 425,744 Netcfg.dll x86 06/22/98 08:25p 41,744 Samlib.dll x86 05/08/98 07:42p 169,232 Samsrv.dll x86 04/27/98 12:48p 130,832 Services.exe x86 06/22/98 09:04p 211,216 Srvmgr.exe x86 06/22/98 08:25p 88,336 Xactsrv.dll x86 02/04/98 02:20p 84,240 Eventlog.dll Alpha 04/15/98 12:37p 253,200 Lsasrv.dll Alpha 04/02/98 06:24p 22,800 Msaudite.dll Alpha 05/08/98 07:42p 67,344 Msv1_0.dll Alpha 05/13/98 04:33p 645,392 Netcfg.dll Alpha 06/22/98 08:25p 78,608 Samlib.dll Alpha 05/08/98 07:42p 288,528 Samsrv.dll Alpha 04/24/98 05:55p 241,936 Services.exe Alpha 06/22/98 09:00p 305,936 Srvmgr.exe Alpha 06/22/98 08:25p 170,768 Xactsrv.dll Alpha NOTE: This hotfix supersedes the fix referred to in the following articles in the Microsoft Knowledge Base: ARTICLE-ID: Q154087 TITLE : Access Violation in LSASS.EXE Due to Incorrect Buffer Size ARTICLE-ID: Q174205 TITLE : LSASS May Use a Large Amount of Memory on a Domain Controller ARTICLE-ID: Q129457 TITLE : Anonymous Connections May Be Able to Obtain the Password Policy This hotfix has been posted to the following Internet location as Lsa2fixi.exe (x86) and Lsa2fixa.exe (Alpha): NOTE: An updated version of this hotfix was posted on July 20, 1998 and provides an additional security level to systems running Windows NT 4.0 Service Pack 3. ftp://ftp.microsoft.com/bussys/winnt/winnt-public/fixes/usa/NT40/ hotfixes-postSP3/lsa2-fix/ NOTE: The above link is one path; it has been wrapped for readability. If you run Systems Management Server on systems where this hotfix is applied, the SNMP Event Log Extension Agent (Snmpelea) generates the following Event ID 3007 error: Error opening event log file Security. Log will not be processed. Return code from OpenEventLog is 1314. The SNMP Event Log Extension Agent requires an update to manage the security event log. To resolve the SNMP Event Log Extension Agent problem, please see the following article in the Microsoft Knowledge Base: ARTICLE-ID: Q183770 TITLE : SMS: Snmpelea Unable to Open Security Event Log NOTE: If you contact Microsoft to obtain this fix, a fee may be charged. This fee is refundable if it is determined that you only require the fix you requested. However, this fee is non-refundable if you request additional technical support, if your no-charge technical support period has expired, or if you are not eligible for standard no-charge technical support. For more information about eligibility for no-charge technical support, see the following article in the Microsoft Knowledge Base: ARTICLE-ID: Q154871 TITLE : Determining If Your Product Is Eligible for No-Charge Technical Support Windows NT 3.51 --------------- A hotfix for Windows NT 3.51 is not available at this time. MORE INFORMATION ================ If you experience problems with this hotfix, perform the following steps to restore the system to its original configuration before applying the hotfix: 1. Perform a full system backup including the registry. This backup set should only be necessary if the following steps fail. 2. Rename the following files the %Systemroot%\System32 folder that were replaced by the hotfix: Eventlog.dll Lsasrv.dll Msaudite.dll Msv1_0.dll Netcfg.dll Samlib.dll Samsrv.dll Services.exe Srvmgr.exe Xactsrv.dll 3. Copy the original versions of these system files from the \%Systemroot%\Lsabackout folder to the %Systemroot%\System32 folder. 4. Restart the computer using the installation disks and select the option to repair the system. 5. Deselect all options except Inspect Registry Files and then continue. 6. Press the ESC key to indicate you wish to use the on-disk repair information. 7. Press ENTER to repair. 8. Click only Security (security policy) and SAM (user accounts database). WARNING: Using Registry Editor incorrectly can cause serious problems that may require you to reinstall your operating system. Microsoft cannot guarantee that problems resulting from the incorrect use of Registry Editor can be solved. Use Registry Editor at your own risk. For information about how to edit the registry, view the "Changing Keys And Values" Help topic in Registry Editor (Regedit.exe) or the "Add and Delete Information in the Registry" and "Edit Registry Data" Help topics in Regedt32.exe. Note that you should back up the registry before you edit it. 9. Start Registry Editor (Regedt32.exe) and delete the Q184017 key from: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT \CurrentVersion\Hotfix NOTE: The above registry key is one path; it has been wrapped for readability. Additional query words: 3.51 4.00 ============================================================================ THE INFORMATION PROVIDED IN THE MICROSOFT KNOWLEDGE BASE IS PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND. MICROSOFT DISCLAIMS ALL WARRANTIES, EITHER EXPRESS OR IMPLIED, INCLUDING THE WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. IN NO EVENT SHALL MICROSOFT CORPORATION OR ITS SUPPLIERS BE LIABLE FOR ANY DAMAGES WHATSOEVER INCLUDING DIRECT, INDIRECT, INCIDENTAL, CONSEQUENTIAL, LOSS OF BUSINESS PROFITS OR SPECIAL DAMAGES, EVEN IF MICROSOFT CORPORATION OR ITS SUPPLIERS HAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. SOME STATES DO NOT ALLOW THE EXCLUSION OR LIMITATION OF LIABILITY FOR CONSEQUENTIAL OR INCIDENTAL DAMAGES SO THE FOREGOING LIMITATION MAY NOT APPLY.