DOCUMENT:Q184017
TITLE   :Administrators can Display Contents of Service Account Passwords
PRODUCT :Microsoft Windows NT
PROD/VER:3.51 4.00
OPER/SYS:WINDOWS
KEYWORDS:kbbug4.00 kbbug3.51 kbfix4.00 kbfile ntsecurity
---------------------------------------------------------------------------
The information in this article applies to:

 - Microsoft Windows NT Workstation versions 3.51 and 4.0
 - Microsoft Windows NT Server versions 3.51 and 4.0
 - Microsoft Windows NT Server, Enterprise Edition version 4.0
 - Microsoft BackOffice Small Business Server version 4.0
---------------------------------------------------------------------------

SYMPTOMS
========

A program is available on the Internet that allows a local Administrator,
with full control of a Windows NT system, to use APIs published in the
Win32 software development kit (SDK) for Windows NT to display the contents
of security information stored by the Local Security Authority (LSA) in a
form called LSA Secrets. LSA Secrets are used to store information such as
the passwords for service accounts used to start services under an account
other than local System.

CAUSE
=====

This is by design. Members of the local Administrators groups are trusted
users that have the ability to access any information that can also be
accessed by the operating system itself.

RESOLUTION
==========

The updates in this Windows NT 4.0 hotfix provide the following additional
protection for the LSA Secret data:

 - Additional encryption for the LSA Secrets, which provides protection for
   this information when stored on backup tapes, the Emergency Repair Disk,
   or other registry backups. For maximum protection, you should also
   enable the System Key option. For information on System Key (Syskey.exe)
   functionality, please refer to the following article in the Microsoft
   Knowledge Base:

      ARTICLE-ID: Q143475
      TITLE     : Windows NT System Key Permits Strong Encryption of the
                  SAM

 - The value of the LSA private data is not returned to remote clients over
   the network.

 - Calls to the Win32 APIs will not return LSA private data used for
   service accounts and other system components to unauthorized
   applications (non-system components).

 - This update includes a change to the privilege needed to open the
   Security Event log. Applications that open this log on systems running
   with this update installed fail unless the security privilege
   (SE_SECURITY_NAME) is enabled.

Contact Microsoft Technical Support to obtain the following fix, or wait
for the next Windows NT service pack.

Before You Apply the Hotfix:

Because this hotfix makes a modification to the on-disk storage of the LSA
data information, Microsoft does not recommend that it be uninstalled.
Perform the following steps to ease the transition back to a pre-LSA2-fix
configuration in case you experience problems with the hotfix:

1. Perform a Full System Backup.

2. Backup or make copies of all the files that will be updated by LSA2-fix.

3. Create an updated pre-LSA2-fix Emergency Repair Disk (ERD).

This fix should have the following time stamp:

   04/22/98  06:05p                51,472 Eventlog.dll (Intel)
   04/27/98  12:48p               154,896 Lsasrv.dll   (Intel)
   04/25/98  07:45p                18,704 Msaudite.dll (Intel)
   05/08/98  07:42p                40,208 Msv1_0.dll   (Intel)
   05/13/98  04:32p               425,744 Netcfg.dll   (Intel)
   06/22/98  08:25p                41,744 Samlib.dll   (Intel)
   05/08/98  07:42p               169,232 Samsrv.dll   (Intel)
   04/27/98  12:48p               130,832 Services.exe (Intel)
   06/22/98  09:04p               211,216 Srvmgr.exe   (Intel)
   06/22/98  08:25p                88,336 Xactsrv.dll  (Intel)

   02/04/98  02:20p                84,240 Eventlog.dll (Alpha)
   04/15/98  12:37p               253,200 Lsasrv.dll   (Alpha)
   04/02/98  06:24p                22,800 Msaudite.dll (Alpha)
   05/08/98  07:42p                67,344 Msv1_0.dll   (Alpha)
   05/13/98  04:33p               645,392 Netcfg.dll   (Alpha)
   06/22/98  08:25p                78,608 Samlib.dll   (Alpha)
   05/08/98  07:42p               288,528 Samsrv.dll   (Alpha)
   04/24/98  05:55p               241,936 Services.exe (Alpha)
   06/22/98  09:00p               305,936 Srvmgr.exe   (Alpha)
   06/22/98  08:25p               170,768 Xactsrv.dll  (Alpha)

NOTE: This hotfix supersedes the fix referred to in the following
articles in the Microsoft Knowledge Base:

   ARTICLE-ID: Q154087
   TITLE     : Access Violation in LSASS.EXE Due to Incorrect Buffer Size

   ARTICLE-ID: Q174205
   TITLE     : LSASS May Use a Large Amount of Memory on a Domain
               Controller

   ARTICLE-ID: Q129457
   TITLE     : Anonymous Connections May Be Able to Obtain the Password
               Policy

This hotfix has been posted to the following Internet location:

NOTE: An updated version of this hotfix was posted on July 20, 1998 and
provides an additional security level to systems running Windows NT 4.0
Service Pack 3.

   ftp://ftp.microsoft.com/bussys/winnt/winnt-public/fixes/usa/NT40/hotfixes-postSP3/lsa2-fix/

MORE INFORMATION
================

If you experience problems with this hotfix, perform the following steps to
restore the system to its original configuration before applying the
hotfix:

1. Create a post-LSA2-fix ERD. This disk should only be necessary if the
   following steps fail.

2. Rename the current system files in the %Systemroot%\System32 folder that
   are being used by this hotfix.

3. Copy the original versions of these system files from
   \%Systemroot%\$NtUninstallQ184017$ to the %Systemroot%\System32 folder.

4. Use the pre-LSA2-fix ERD to start the computer and repair the Security
   hive.

5. Restart the computer to load the pre-LSA2-fix system files that can use
   the pre-LSA2-fix Security hive format.

STATUS
======

Windows NT 4.0
--------------

Microsoft has released a fully supported hotfix that provides additional
protection of sensitive system information stored as LSA secrets.

This hotfix has not been fully regression tested and should only be applied
to systems determined to be at risk of attack. Please evaluate your
system's physical accessibility, network and Internet connectivity, and
other factors to determine the degree of risk to your system. If your
system is sufficiently at risk, Microsoft recommends you apply this fix.
Otherwise, wait for the next Windows NT service pack, which will contain
this fix. Please contact Microsoft Technical Support for more information.

Windows NT 3.51
---------------

A hotfix for Windows NT 3.51 is not available at this time.

Additional query words: 3.51 4.00
============================================================================

THE INFORMATION PROVIDED IN THE MICROSOFT KNOWLEDGE BASE IS
PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND.  MICROSOFT DISCLAIMS
ALL WARRANTIES, EITHER EXPRESS OR IMPLIED, INCLUDING THE WARRANTIES
OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE.  IN NO
EVENT SHALL MICROSOFT CORPORATION OR ITS SUPPLIERS BE LIABLE FOR
ANY DAMAGES WHATSOEVER INCLUDING DIRECT, INDIRECT, INCIDENTAL,
CONSEQUENTIAL, LOSS OF BUSINESS PROFITS OR SPECIAL DAMAGES, EVEN IF
MICROSOFT CORPORATION OR ITS SUPPLIERS HAVE BEEN ADVISED OF THE
POSSIBILITY OF SUCH DAMAGES.  SOME STATES DO NOT ALLOW THE EXCLUSION
OR LIMITATION OF LIABILITY FOR CONSEQUENTIAL OR INCIDENTAL DAMAGES
SO THE FOREGOING LIMITATION MAY NOT APPLY.