Check or Attack Name: LSA patch for NT SP3

An unpatched version of the Local Security Authority (LSA) subsystem exists, allowing an attacker to display sensitive security information. In addition, account lockout events, as a result of exceeding the Bad Logon Attempts limit, are not logged at Domain Controllers. Although the latter is not a vulnerability, it does create an inconvenience for administrators wanting to locate the computer originating the bad password attempts.

Apply the latest Windows NT 4.0 Service Pack or SP3 users must apply the post-SP3 las2-fix patch.

To apply the latest Windows NT Service Pack, follow these steps:

1. Open a web browser.
2. Go to http://support.microsoft.com/support/ntserver/Content/ServicePacks and follow the directions to download the appropriate service pack for your computer.
3. Find the installation program you downloaded to your computer.
4. Double-click the program icon to start the installation.
5. Follow the installation directions.

Windows NT 4.0 SP3 users must apply the post-SP3 lsa2-fix patch available from ftp://ftp.microsoft.com/bussys/winnt/winnt-public/fixes/usa/nt40/hotfixes-postSP3/lsa2-fix/.

Microsoft Knowledge Base Article Q184017, Administrators can Display Contents of Service Account Passwords, http://support.microsoft.com/support/kb/articles/q184/0/17.asp

Microsoft Knowledge Base Article Q182918, Account Lockout Event also Stored in Security Event Log on DC, http://support.microsoft.com/support/kb/articles/q182/9/18.asp hotfixes-postSP3/lsa2-fix/Q182918.txt

Microsoft Knowledge Base Article Q182918, Account Lockout Event also Stored in Security Event Log on DC, ftp://ftp.microsoft.com/bussys/winnt/winnt-public/fixes/usa/NT40/hotfixes-postSP3/lsa2-fix/Q182918.txt

Microsoft Knowledge Base Article Q184017, Administrators can Display Contents of Service Account Passwords, ftp://ftp.microsoft.com/bussys/winnt/winnt-public/fixes/usa/NT40/hotfixes-postSP3/lsa2-fix/Q184017.txt