Check or Attack Name: Writable LSA Key - non-admin

The registry key that governs alternate security providers has improper permissions. If a user has the right to change the HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa key, then a DLL file can be installed that allows all password changes to be written to plaintext, or even transmitted off site. Microsoft shipped Windows NT 4.0 Workstation with the Notification Packages registry key set to FPNWCLNT, which allows any user with write permissions to the %systemroot%\system32 directory to insert a DLL that can process password changes. If the FPNWCLNT.DLL file is detected, then its size is verified as the correct size.

Set permissions for LSA, or if the FPNWCLNT.DLL is not used, remove the FPNWCLNT string from the registry.

Restrict permissions on the HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa key to be written only by the System and Administrators:

WARNING: Incorrectly using Registry Editor may cause severe and irreparable damage and may require you to reinstall your operating system. Internet Security Systems cannot guarantee that problems resulting from the incorrect use of Registry Editor can be solved. Use Registry Editor at your own risk.

To restrict registry access, follow these steps:

1. Open Registry Editor. From the Windows NT Start menu, select Run, type regedt 32, and click OK.
2. Go to the HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa key.
3. From the Security menu, select Permissions to display the Registry Key Permissions dialog box.
4. Use these guidelines to review the listed permissions:
• Remove or change any permissions such as Everyone - Full Control. This default permission allows all users to read, modify, and even change ownership and permissions on the items in the share.
• Review any names with Full Control permissions and determine if the permission is appropriate. Consider using Special Access, Read, or removing permissions if these names do not need to modify items in the key.
• Review any names with Special Access permissions and determine if the permission is appropriate. Consider using Read or removing permissions if these names do not need to modify items in the key.
• Review any names that should not be in the list, and remove the name or change their permission as appropriate.

—AND—

If the Notification Packages subkey is present, determine if an unauthorized security provider has been installed. If you detect an unauthorized security provider, then this machine should be considered compromised.

What to do if a computer's security is compromised:

1. Immediately remove the computer from the network.
2. Create a backup of the contents of the hard drive, or isolate the data on a non-networked storage device.
3. Perform a low-level format of all hard drives on the computer.
4. Reinstall the operating system.
5. Configure the computer with the original user names, groups, and applications.
6. Run Internet Scanner to determine vulnerabilities, and resolve detected vulnerabilities.
7. Before using the files on the backup, scan all files using an up-to-date antivirus program, and copy only the files you know to be authorized on that computer.
8. Reconnect the computer to the network.

—AND—

Choose one of the following options:

• If the Notification Packages subkey is present and your machine is using FPNW or DSMN, make sure Fpnwclnt.dll in the %SystemRoot%\System32 folder is the version that ships with Windows NT 4.0 Service Pack 3 (05/01/97, 35,088 bytes) and that the NTFS access control list only permits access by administrators and the system.
• If the Notification Packages subkey is present and FPNWCLNT.DLL is not being used, remove the FPNWCLNT string from this subkey. To disable FPNWCLNT.DLL:
1. Open Registry Editor. From the Windows NT Start menu, select Run, type regedt 32, and click OK..
2. Go to the HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa key.
3. Double-click the Notification Packages value.
4. If the FPNWCLNT string is present, highlight and delete it.

Fyodor's Exploit World, NT LSA secrets, http://www.insecure.org/sploits/NT.LSA.secrets.html