DOCUMENT:Q99885 08-AUG-2001 [winnt] TITLE :Security Issues Occur Due to How WinNT Handles FPNWCLNT.DLL PRODUCT :Microsoft Windows NT PROD/VER:WinNT:4.0 OPER/SYS: KEYWORDS:kbenv ====================================================================== ------------------------------------------------------------------------------- The information in this article applies to: - Microsoft Windows NT Workstation version 4.0 - Microsoft Windows NT Server version 4.0 - Microsoft File and Print Services for NetWare version 4.0 ------------------------------------------------------------------------------- IMPORTANT: This article contains information about editing the registry. Before you edit the registry, make sure you understand how to restore it if a problem occurs. For information on how to do this, view the Restoring the Registry online Help topic in Regedit.exe or the Restoring a Registry Key online Help topic in Regedt32.exe. SYMPTOMS ======== The following security issues may arise due to the way Windows NT handles Fpnwclnt.dll: - Windows NT Workstation Setup does not install Fpnwclnt.dll. By default, the NTFS permission on the %SystemRoot%\System32 folder allows Everyone to create new files. This means that anyone who is logged on locally or who has write access to a write-permissible share that includes the %SystemRoot%\System32 folder can place a "Trojan horse" version of Fpnwclnt.dll in the System32 folder. This version can intercept all passwords changed in the local computer's security account manager (SAM) database. If the computer is a member of a domain, changes to domain user account passwords are not trapped by the password filter. - Windows NT Server Setup installs Fpnwclnt.dll in the %SystemRoot%\System32 folder. If Fpnwclnt.dll is replaced on the Primary Domain Controller (PDC) with a "Trojan horse" DLL, the "Trojan horse" DLL will receive plain-text access to all password updates for the entire domain. However, by default, only a system administrator has access to logon interactively to the domain controller, and only system administrators have access to default file shares that include the System32 folder. The Fpnwclnt.dll file on Backup Domain Controllers (BDC) is never used because all domain password changes are processed at the PDC. NOTE: The default ACL on the System32 folder is that only Administrators can modify files but Everyone can add files. - Administrators can add their own DLL to the following registry key that can obtain the passwords: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\LSA \Notification Packages RESOLUTION ========== WARNING: Using Registry Editor incorrectly can cause serious problems that may require you to reinstall Windows. Microsoft cannot guarantee that problems resulting from the incorrect use of Registry Editor can be solved. Use Registry Editor at your own risk. For information about how to edit the registry, view the Changing Keys And Values online Help topic in Registry Editor (Regedit.exe) or the "Add and Delete Information in the Registry" and Edit Registry Data topics in Regedt32.exe. Note that you should back up the registry before you edit it. Perform the following steps to resolve this problem: 1. Apply the latest Windows NT 4.0 Service Pack to remove the registry key on Windows NT Workstation. For information on obtaining the service pack, query on the following word in the Microsoft Knowledge Base (without the spaces): S E R V P A C K 2. Install Windows NT on an NTFS volume. 3. Make sure the ACL on the following registry key allows only Administrators and the System write access. HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\LSA 4. Make sure all values in the following registry key are for password filter packages that Setup intended to install. HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\LSA \Notification Packages 5. If you do not use FPNW or DSMN, go to the following registry key and remove the value FPNWCLNT. HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\LSA \Notification Packages 6. If you use FPNW or DSMN, make sure Fpnwclnt.dll in the %SystemRoot%\System32 folder is the version that ships with Windows NT 4.0 Service Pack 3 (05/01/97, 35,088) and that the NTFS ACL only permits access by administrators and the system. MORE INFORMATION ================ Fpnwclnt.dll is a dynamic link library that lets File and Print Services for NetWare (FPNW) and Directory Service Manager for NetWare (DSMN) perform password synchronization with Novell NetWare servers. Fpnwclnt.dll ships with Windows NT Server and is in the following default registry configuration: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\LSA \Notification Packages Although FPNW or DSMN may not be installed on the PDC, this key exists because this is the only place to pick up password change notifications and FPNW must pick up these changes. Additional query words: access control list ====================================================================== Keywords : kbenv Technology : kbWinNTsearch kbWinNTWsearch kbWinNTW400 kbWinNTW400search kbWinNT400search kbWinNTSsearch kbWinNTS400search kbWinNTS400 kbServicesNetwareSearch kbFPNW400 Version : WinNT:4.0 ============================================================================= THE INFORMATION PROVIDED IN THE MICROSOFT KNOWLEDGE BASE IS PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND. MICROSOFT DISCLAIMS ALL WARRANTIES, EITHER EXPRESS OR IMPLIED, INCLUDING THE WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. IN NO EVENT SHALL MICROSOFT CORPORATION OR ITS SUPPLIERS BE LIABLE FOR ANY DAMAGES WHATSOEVER INCLUDING DIRECT, INDIRECT, INCIDENTAL, CONSEQUENTIAL, LOSS OF BUSINESS PROFITS OR SPECIAL DAMAGES, EVEN IF MICROSOFT CORPORATION OR ITS SUPPLIERS HAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. SOME STATES DO NOT ALLOW THE EXCLUSION OR LIMITATION OF LIABILITY FOR CONSEQUENTIAL OR INCIDENTAL DAMAGES SO THE FOREGOING LIMITATION MAY NOT APPLY. Copyright Microsoft Corporation 2001.