OFF2000: No Prompt Opening Web Folder with Internet Explorer Security Set for Logon Prompt (282132)


The information in this article applies to:

  • Microsoft Excel 2000
  • Microsoft Outlook 2000
  • Microsoft PowerPoint 2000
  • Microsoft Word 2000
  • the operating system: Microsoft Windows 2000
  • the operating system: Microsoft Windows Millennium Edition
This article was previously published under Q282132

SYMPTOMS

When you open a Web folder or a Network Place to a location on the Internet or an intranet, there is no logon prompt that requests your user name and password. This occurs even though you configure your Microsoft Internet Explorer security settings to prompt for your user name and password.

CAUSE

This problem occurs when the following conditions are true:

  • You create a Web folder or a Network Place to an Internet location or intranet location.
  • Microsoft Internet Explorer version 5.x is installed on your computer.
  • In Internet Explorer, you click Internet Options on the Tools menu, and then click the Security tab to set the Logon under User Authentication to Prompt for user name and password.
  • One of the following is true:
    • Office 2000 is installed on your computer, and you are using Web folders.

      -or-
    • Your computer is running Microsoft Windows 2000 or Microsoft Windows Millennium Edition (Me).

RESOLUTION

To resolve this problem, obtain the latest service pack for Windows 2000. For additional information, click the following article number to view the article in the Microsoft Knowledge Base:

260910 How to Obtain the Latest Windows 2000 Service Pack

Microsoft has released a patch that eliminates a security vulnerability in a component that is included with Microsoft Office 2000, Windows 2000, and Windows Me. Download and install the appropriate patch, according to your situation listed later in this article.

If an Office 2000 Family Product Is Installed on Your Computer

To resolve this problem, obtain the latest service pack for Microsoft Office 2000. For additional information, click the following article number to view the article in the Microsoft Knowledge Base:

276367 OFF2000: How to Obtain the Latest Office 2000 Service Pack


IMPORTANT: Before you install Microsoft Office 2000 Service Pack 3 (SP-3), you must have Microsoft Office 2000 Service Release 1/1a (SR-1/SR-1a) installed first. To obtain Office 2000 Service Release 1/1a (SR-1/SR-1a), click the article number below to view the article in the Microsoft Knowledge Base:

245025 OFF2000: How to Obtain and Install Microsoft Office 2000 Service Release 1/1a (SR-1/SR-1a)



This problem was first corrected in the Web Client Security Update for Office 2000.

For additional information about how to obtain and install this update, click the article number below to view the article in the Microsoft Knowledge Base:

285338 OFF2000: Web Client Security Update for Office 2000 Available

If Your Operating System Is Windows Millennium Edition Without an Office 2000 Family Product Installed

To correct this problem, follow these steps to download and install the Web Extender Client (WEC) Security Update for Windows Me from the Microsoft Download Center:
  1. Click the following file name to download the file:

    Download 282132usam.exe now

  2. When prompted, save 282132usam.exe to your Desktop folder.
  3. After 282132USAM.EXE is downloaded, double-click 282132usam.exe. Click Yes to agree to the license agreement. Click OK after installation of the patch is complete.
For additional information about how to download Microsoft Support files, click the following article number to view the article in the Microsoft Knowledge Base:

119591 How to Obtain Microsoft Support Files from Online Services

Microsoft scanned this file for viruses. Microsoft used the most current virus-detection software that was available on the date that the file was posted. The file is stored on security-enhanced servers that help to prevent any unauthorized changes to the file.

If Your Operating System Is Windows 2000 Without an Office 2000 Family Product Installed

To correct this problem, follow these steps to download and install the Windows 2000 Security Patch from the Microsoft Download Center:
  1. Click the following file name to download the file:

    Download Q282132_w2k_sp2_x86_en.exe now

  2. When prompted, save Q282132_w2k_sp2_x86_en.exe to your Desktop folder.
  3. After Q282132_w2k_sp2_x86_en.exe is downloaded, double-click Q282132_w2k_sp2_x86_en.exe. Click Yes to agree to the license agreement. Click OK after installation of the patch is complete.
For additional information about how to download Microsoft Support files, click the following article number to view the article in the Microsoft Knowledge Base:

119591 How to Obtain Microsoft Support Files from Online Services

Microsoft scanned this file for viruses. Microsoft used the most current virus-detection software that was available on the date that the file was posted. The file is stored on security-enhanced servers that help to prevent any unauthorized changes to the file.

STATUS

Microsoft has confirmed that this is a problem in the Microsoft products that are listed at the beginning of this article. This problem was first corrected in Windows 2000 Service Pack 2. This problem has been fixed in the Microsoft Web Client Security Updates.

MORE INFORMATION

The Web Extender Client (WEC) is a component that is included with Office 2000, Windows 2000, and Windows Me. WEC permits Internet Explorer to view and publish files by means of Web folders, similar to viewing and adding files in a directory through Windows Explorer. Because of an implementation flaw, WEC does not respect the Internet Explorer Security settings regarding when NTLM authentication is to be performed. Instead, WEC performs NTLM authentication with any server that requests it. If a user establishes a session with a malicious user's Web site, either by browsing to the site or by opening an HTML e-mail that initiates a session with it, an application on the site could capture the user's NTLM credentials. The malicious user could then use an offline brute force attack to derive the password, or, with specialized tools, could submit a variant of these credentials in an attempt to access protected resources.

The vulnerability would only provide the malicious user with the cryptographically protected NTLM authentication credentials of another user. It would not, by itself, permit a malicious user to gain control of another user's computer or to gain access to resources to which that user has authorized access. To use the NTLM credentials (or a subsequently cracked password), the malicious user would have to be able to remotely log on to the target system. However, best practices dictate that remote logon services be blocked at border devices, and if these practices are followed, they would prevent an attacker from using the credentials to log on to the target system.

For more information about the Web Client Security Update for Office 2000, please visit the following Microsoft Security Bulletin:

http://www.microsoft.com/technet/security/bulletin/ms01-001.asp

An Example of the Problem

  1. If your operating system is Microsoft Windows 98, Windows 95, or Windows NT 4.0 Workstation with Office 2000 installed, follow these steps to add a Web folder:

    1. On the Desktop, double-click My Computer.
    2. Double-click Web Folders.
    3. Double-click Add Web Folder.
    4. Type the name of an intranet Web folder, click Next, and then click Finish.
    If your operating system is Windows Me or Windows 2000, follow these steps to add a Web folder:

    1. On the Desktop, double-click My Network Places.
    2. Double-click Add Network Place.
    3. Type the name of an intranet Web folder, click Next, and then click Finish.
  2. Start Microsoft Word, and save a document to the Web folder that you created in the previous step.
  3. Start Microsoft Internet Explorer.
  4. Click Internet Options on the Tools menu.
  5. Click the Security tab.
  6. Click Local Intranet, and then click Custom Level.
  7. Click Prompt for User Name and Password under Logon of User Authentication (at bottom of list), and then click OK.
  8. Click Yes when you are prompted to change the security settings for that zone, and then click OK.
  9. Close Internet Explorer, and the focus should return to the Web Folders folder or Network Places folder.
  10. Double-click the Web folder or Network Place that you created in step 1, and then open the document created in step 2. You can open the Word document from the Web folder without any logon prompt. You should be prompted to log on to the Web folder before opening the Word document.

How to Determine That the Patch Is Installed

Note that the Fp4awec.dll file in the Program Files\Common Files\Microsoft Shared\Web Server Extensions\40\bin folder is updated to version 4.0.2.4715 after the Web Client Security Update for Office 2000 is installed. Right-click the Fp4awec.dll file from Windows Explorer, and then click the Version tab to confirm the version information.
Modification Type:MinorLast Reviewed:1/27/2005
Keywords:kbdownload kbdownload kbOffice2000SP3Fix kbbug kbfix kbgraphxlinkcritical kbWin2000PreSP2Fix KB282132
©2004 Microsoft Corporation. All rights reserved.