Windows NT null session user modals

Risk Level: Low risk vulnerability  Low

Check or Attack Name: Null Session User Modals
Platforms: Windows NT
Description:

Password policy information is available to non-authenticated users for all Windows NT systems prior to NT 4.0 with Service Pack 3 and the lsa2-fix. An attacker can access valuable information regarding password length, number of incorrect passwords before a user is locked out, and duration of user lockout.
Remedy:

Apply the latest Windows NT 4.0 Service Pack:

  1. Open a web browser.
  2. Go to http://support.microsoft.com/support/ntserver/Content/ServicePacks/ and follow the directions to download the appropriate service pack for your computer.
  3. Find the installation program you downloaded to your computer.
  4. Double-click the program icon to start the installation.
  5. Follow the installation directions.

—OR—

Windows NT 4.0 SP3 users must apply the post-SP3 lsa2-fix patch available from ftp://ftp.microsoft.com/bussys/winnt/winnt-public/fixes/usa/nt40/hotfixes-postSP3/lsa2-fix/.

—AND—

The RestrictAnonymous key must be set to restrict password policy information:

WARNING: Incorrectly using Registry Editor may cause severe and irreparable damage and may require you to reinstall your operating system. Internet Security Systems cannot guarantee that problems resulting from the incorrect use of Registry Editor can be solved. Use Registry Editor at your own risk.

  1. If you have not already done so, apply the latest Windows NT 4.0 Service Pack, or SP3 with the lsa2-fix patch.
  2. Open the Registry Editor. From the Windows NT Start menu, select Run, type regedt32, and click OK.
  3. Go to the HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\LSA key.
  4. From the Edit menu, select Add Value to display the Add Value dialog box.
  5. In the Value Name field, type RestrictAnonymous.
  6. Select REG_DWORD as the Data Type.
  7. Click OK to display the DWORD Editor.
  8. In the Data field, type 1. (Ignore the Radix setting.)
  9. Click OK. Registry Editor adds the key to the registry.
  10. Reboot the system to apply the changes.

Note: Changing the Registry entries is only effective after applying the latest Service Pack, or after applying the post-SP3 lsa2-fix patch and Service Pack 3.
References:

Microsoft Knowledge Base Article Q129457, Anonymous Connections May Be Able to Obtain the Password Policy, http://support.microsoft.com/support/kb/articles/q129/4/57.asp
X-Force Logo
Know Your Risks