Check or Attack Name: ntpwdll

This system was found with an altered LSA registry key. This setting may allow access in plaintext to all new passwords. Changing passwords or adding users calls the security provider with the userid and plaintext password. If an unauthorized security provider has been installed, all accounts information may have been re-routed in plaintext to an unauthorized location.

Set write permissions to Administrators or System, or remove the FPNWCLNT.DLL security provider program.

To set permissions for the ACL key, follow these steps:

1. Open the Registry Editor. From the Windows NT Start Menu, select Run, type regedt32, and click OK.
2. Go to the HKEY_LOCAL_MACHINE/SYSTEM/CurrentControlSet/Control/Lsa/ registry key.
3. From the Security menu, select Permissions to display the Registry Key Permissions dialog box.
4. Verify that the permissions only allow write access to Administrators and System.

To remove the FPNWCLNT value, follow these steps:

1. Open the Registry Editor. From the Windows NT Start Menu, select Run, type regedt32, and click OK.
2. Go to the HKEY_LOCAL_MACHINE/SYSTEM/CurrentControlSet/Control/Lsa/Authentication Packages registry key.
3. Click the FPNWCLNT value and click Delete.
4. Verify the deletion.