Microsoft KB Archive/99885

= Security Issues That May Occur Due to the Way Windows NT Handles FPNWCLNT.DLL =

Article ID: 99885

Article Last Modified on 10/31/2006

-

APPLIES TO


 * Microsoft Windows NT Workstation 4.0 Developer Edition
 * Microsoft Windows NT Server 4.0 Standard Edition
 * Microsoft File and Print Services for NetWare 4.0

-



This article was previously published under Q99885



IMPORTANT: This article contains information about editing the registry. Before you edit the registry, make sure you understand how to restore it if a problem occurs. For information on how to do this, view the Restoring the Registry online Help topic in Regedit.exe or the Restoring a Registry Key online Help topic in Regedt32.exe.



SYMPTOMS
The following security issues may arise due to the way Windows NT handles Fpnwclnt.dll:

 Windows NT Workstation Setup does not install Fpnwclnt.dll. By default, the NTFS permission on the %SystemRoot%\System32 folder allows Everyone to create new files. This means that anyone who is logged on locally or who has write access to a write-permissible share that includes the %SystemRoot%\System32 folder can place a &quot;Trojan horse&quot; version of Fpnwclnt.dll in the System32 folder. This version can intercept all passwords changed in the local computer's security account manager (SAM) database. If the computer is a member of a domain, changes to domain user account passwords are not trapped by the password filter. Windows NT Server Setup installs Fpnwclnt.dll in the %SystemRoot%\System32 folder. If Fpnwclnt.dll is replaced on the Primary Domain Controller (PDC) with a &quot;Trojan horse&quot; DLL, the &quot;Trojan horse&quot; DLL will receive plain-text access to all password updates for the entire domain. However, by default, only a system administrator has access to logon interactively to the domain controller, and only system administrators have access to default file shares that include the System32 folder. The Fpnwclnt.dll file on Backup Domain Controllers (BDC) is never used because all domain password changes are processed at the PDC.

NOTE: The default ACL on the System32 folder is that only Administrators can modify files but Everyone can add files. Administrators can add their own DLL to the following registry key that can obtain the passwords:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\LSA \Notification Packages





RESOLUTION
WARNING: Using Registry Editor incorrectly can cause serious problems that may require you to reinstall Windows. Microsoft cannot guarantee that problems resulting from the incorrect use of Registry Editor can be solved. Use Registry Editor at your own risk.

For information about how to edit the registry, view the Changing Keys And Values online Help topic in Registry Editor (Regedit.exe) or the &quot;Add and Delete Information in the Registry&quot; and Edit Registry Data topics in Regedt32.exe. Note that you should back up the registry before you edit it.

Perform the following steps to resolve this problem:

 Apply the latest Windows NT 4.0 Service Pack to remove the registry key on Windows NT Workstation. For information on obtaining the service pack, query on the following word in the Microsoft Knowledge Base (without the spaces):

S E R V P A C K

 Install Windows NT on an NTFS volume.</li> Make sure the ACL on the following registry key allows only Administrators and the System write access.

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\LSA

</li> Make sure all values in the following registry key are for password filter packages that Setup intended to install.

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\LSA \Notification Packages

</li> If you do not use FPNW or DSMN, go to the following registry key and remove the value FPNWCLNT.

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\LSA \Notification Packages

</li> If you use FPNW or DSMN, make sure Fpnwclnt.dll in the %SystemRoot%\System32 folder is the version that ships with Windows NT 4.0 Service Pack 3 (05/01/97, 35,088) and that the NTFS ACL only permits access by administrators and the system.</li></ol>

<div class="moreinformation_section">

MORE INFORMATION
Fpnwclnt.dll is a dynamic link library that lets File and Print Services for NetWare (FPNW) and Directory Service Manager for NetWare (DSMN) perform password synchronization with Novell NetWare servers. Fpnwclnt.dll ships with Windows NT Server and is in the following default registry configuration:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\LSA \Notification Packages

Although FPNW or DSMN may not be installed on the PDC, this key exists because this is the only place to pick up password change notifications and FPNW must pick up these changes.

Additional query words: access control list

Keywords: kbenv KB99885

-

[mailto:TECHNET@MICROSOFT.COM Send feedback to Microsoft]

© Microsoft Corporation. All rights reserved.