Check or Attack Name: fpnwclnt

The registry key that governs alternate security providers refers to a password processing library that does not exist. If a user has the right to change the HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa key, then a DLL file can be installed that allows all password changes to be written to cleartext, or even transmitted off site.

Microsoft shipped Windows NT 4.0 Workstation with the Notification Packages registry key set to FPNWCLNT, which allows any user with write permissions to the %systemroot%\system32 directory to insert a DLL that can process password changes. If the FPNWCLNT.DLL file is detected, then its size is verified as the correct size.

Restrict permissions on the HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa key to be written only by the System and Administrators:

WARNING: Incorrectly using Registry Editor may cause severe and irreparable damage and may require you to reinstall your operating system. Internet Security Systems cannot guarantee that problems resulting from the incorrect use of Registry Editor can be solved. Use Registry Editor at your own risk.

To restrict registry access, follow these steps:

1. Open the Registry Editor. From the Windows NT Start menu, select Run, type regedt32, and click OK.
2. Go to the HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa key.
3. From the Security menu, select Permissions to display the Registry Key Permissions dialog box.
4. Use these guidelines to review the listed permissions:
• Remove or change any permissions such as Everyone - Full Control. This default permission allows all users to read, modify, and even change ownership and permissions on the items in the share.
• Review any names with Full Control permissions and determine if the permission is appropriate. Consider using Special Access, Read, or removing permissions if these names do not need to modify items in the key.
• Review any names with Special Access permissions and determine if the permission is appropriate. Consider using Read or removing permissions if these names do not need to modify items in the key.
• Review any names that should not be in the list, and remove the name or change their permission as appropriate.

—AND—

If the Notification Packages subkey is present, determine if an unauthorized security provider has been installed. If you detect an unauthorized security provider, then this machine should be considered compromised.

—AND—

Choose one of the following options:

• If the Notification Packages subkey is present and your machine is using FPNW or DSMN, make sure Fpnwclnt.dll in the %SystemRoot%\System32 folder is the version that ships with Windows NT 4.0 Service Pack 3 (05/01/97, 35,088 bytes) and that the NTFS access control list only permits access by administrators and the system.
• If the Notification Packages subkey is present and FPNWCLNT.DLL is not being used, remove the FPNWCLNT string from this subkey.

1. Open the Registry Editor. From the Windows NT Start menu, select Run, type regedt32, and click OK.
2. Go to the HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa key.
3. Double-click the Notification Packages value.
4. If the FPNWCLNT string is present, highlight and delete it.

Microsoft Knowledge Base Article Q99885, Security Issues Occur Due to How WinNT Handles FPNWCLNT.DLL, http://support.microsoft.com/support/kb/articles/q99/8/85.asp