Windows NT Local Security Authority contents.gifindex.gif

Windows NT Local Security Authority

The scanner has detected that the registry key that governs alternate security providers either has improper permissions, has been altered, or the password processing library it refers to does not exist.

If a user has the right to change this key, a DLL can be installed which allows all password changes to be written to clear text, or even transmitted off site. If there is an alternate provider which has been intentionally installed, this test could yield a false positive. Examine the contents of the HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa

value to ensure it has not been tampered with, and set the permissions on this key to allow it to be written only by the system and administrators.

Microsoft mistakenly shipped Windows NT 4.0 with the Notification Packages value set to FPNWCLNT, which allows any user with write permissions to the %systemroot%\system32 directory to insert a DLL which can process password changes. The scanner will verify if the file is installed, and if it is found, will check to see if it is the correct size.

Risk: Very high

OS Vulnerable: Windows NT

Fix: Set the permissions properly. If an unauthorized security provider has been installed, all accounts on this machine should be considered compromised. If the FPNWCLNT.DLL is not being used, remove the FPNWCLNT string from the Notification Packages value.