Check or Attack Name: NtCsrssDos

The Microsoft Windows NT CSRSS.EXE Client Server Runtime Subsystem service can be used to launch a denial of service attack against hosts accepting interactive logins. CSRSS provides Windows NT services to client processes running on the local computer.

When all worker threads (by default, a maximum of 16) within the CSRSS service are awaiting user input, no new connections can be made, effectively hanging the system.

Apply the Windows NT 4.0 post-SP5 Csrss-fix update.

Windows NT 4.0 Service Pack 5 (SP5) users, apply the Csrss-fix update:

1. Open a web browser.
2. Go to ftp://ftp.microsoft.com/bussys/winnt/winnt-public/fixes/usa/NT40/hotfixes-postSP5/Csrss-fix/ .
3. View the readme.txt for versions and install instructions.
4. Download the appropriate patch for your operating environment.
5. Find the patch file you downloaded to your computer.
6. Double-click its icon to start the installation.
7. Follow the installation directions.

Microsoft Security Bulletin MS99-021, Patch Available for "CSRSS Worker Thread Exhaustion" Vulnerability, http://www.microsoft.com/security/bulletins/ms99-021.asp

Microsoft Knowledge Base Article Q233323, Exceeding MaxRequestThreads may Cause Windows NT to Hang, http://support.microsoft.com/support/kb/articles/q233/3/23.asp

CIAC Information Bulletin J-049, J-049: Windows NT, Two Denial-of-Service Vulnerabilities (Malformed LSA Request and CSRSS Worker Thread Exhaustion), http://ciac.llnl.gov/ciac/bulletins/j-049.shtml