Check or Attack Name: Service User Pwd

A Windows NT service was detected running under an account other than LocalSystem, and has revealed its password. If services are installed under a domain-level account, any compromised workstation using the service will also compromise the domain at the level of that user.

To detect this vulnerability, the machine must be assessed at the administrator level. This vulnerability may be an indication that the machine has other severe vulnerabilities.

Set the service to run in the local user context, or as LocalSystem.

1. Open the Services control panel. From the Windows NT Start menu, select Settings, Control Panel, Services.
2. Select the service.
3. Click Startup.
4. Set the service to either run under a local user context, or as LocalSystem.

Some services will not function properly if this setting is changed, so test your configuration carefully and contact the vendor for additional support.

—AND—

Windows NT 4.0 SP3 users can install the post-SP3 lsa2-fix to keep remote users from obtaining the password. However, some security researchers have demonstrated acquiring these passwords even with the fix installed, thus the fix does not completely solve the problem. This capability is not widespread (as of September 1998), but may become common knowledge.