Check or Attack Name: fpnwclnt checksum

The registry key that governs alternate security providers has been altered. If a user has the right to change the HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa key, then a DLL file can be installed that allows all password changes to be written to plaintext, or even transmitted off site.

Microsoft shipped Windows NT 4.0 Workstation with the Notification Packages registry key set to FPNWCLNT, which allows any user with write permissions to the %systemroot%\system32 directory to insert a DLL that can process password changes. If the FPNWCLNT.DLL file is detected, then its size is verified as the correct size.

Apply the latest Windows NT 4.0 Service Pack, convert to NTFS, verify the ACL allows proper access, and make sure all values for password filter packages are legitimate. Set registry permissions properly. If an unauthorized security provider has been installed, remove FPNWCLNT or validate the FPNWCLNT.DLL.

To apply the latest Windows NT 4.0 Service Pack:

1. Open a web browser.
2. Go to http://support.microsoft.com/support/ntserver/Content/ServicePacks/ and follow the directions to download the appropriate service pack for your computer.
3. Find the installation program you downloaded to your computer.
4. Double-click the program icon to start the installation.
5. Follow the installation directions.

—AND—

If using a FAT (File Allocation Table) based system, convert to NTFS:

1. Open a command-line window. From the Windows NT Start menu, select Run, type cmd, and click OK.
2. Type: convert c: /fs:ntfs and press Enter.
3. When the command has completed, reboot your system.
4. From a command line, run chkdsk to make sure no errors are present.

—AND—

Restrict permissions on the HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa key to be written only by the System and Administrators.

WARNING: Incorrectly using Registry Editor may cause severe and irreparable damage and may require you to reinstall your operating system. Internet Security Systems cannot guarantee that problems resulting from the incorrect use of Registry Editor can be solved. Use Registry Editor at your own risk.

To restrict registry access:

1. Open Registry Editor. From the Windows NT Start Menu, select Run, type regedt32, and click OK.
2. Go to the HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa key.
3. From the Security menu, select Permissions to display the Registry Key Permissions dialog box.
4. Use these guidelines to review the listed permissions:
• Remove or change any permissions such as Everyone - Full Control. This default permission allows all users to read, modify, and even change ownership and permissions on the items in the share.
• Review any names with Full Control permissions and determine if the permission is appropriate. Consider using Special Access, Read, or removing permissions if these names do not need to modify items in the key.
• Review any names with Special Access permissions and determine if the permission is appropriate. Consider using Read or removing permissions if these names do not need to modify items in the key.
• Review any names that should not be in the list, and remove the name or change their permission as appropriate.

—AND—

To verify password filter packages:

1. Open Registry Editor. From the Windows NT Start Menu, select Run, type regedt32, and click OK.
2. Go to the HKEY_LOCAL_MACHINE/SYSTEM/CurrentControlSet/Control/Lsa/Notification Packages key.
3. Verify that all values in this key are for password filter packages that Setup intended to install.

If the Notification Packages subkey is present, determine if an unauthorized security provider has been installed. If you detect an unauthorized security provider, then this machine should be considered compromised.

If you use FPNW or DSMN, validate the version of FPNWCLNT.DLL dated 05/01/97 at 35,088 bytes.

—OR—

If you do not use FPNW or DSMN, remove the FPNWCLNT value:

1. Open Registry Editor. From the Windows NT Start menu, select Run, type regedt32, and click OK.
2. Go to the HKEY_LOCAL_MACHINE/SYSTEM/CurrentControlSet/Control/Lsa/Authentication Packages key.
3. Select the FPNWCLNT value and click Delete.
4. Verify the deletion.

Microsoft Knowledge Base Article Q99885, Security Issues Occur Due to How WinNT Handles FPNWCLNT.DLL, http://support.microsoft.com/support/kb/articles/q99/8/85.asp