DOCUMENT:Q184017 TITLE :Administrators can Display Contents of Service Account Passwords PRODUCT :Microsoft Windows NT PROD/VER:3.51 4.00 OPER/SYS:WINDOWS KEYWORDS:kbbug4.00 kbbug3.51 kbfix4.00 kbfile ntsecurity --------------------------------------------------------------------------- The information in this article applies to: - Microsoft Windows NT Workstation versions 3.51 and 4.0 - Microsoft Windows NT Server versions 3.51 and 4.0 - Microsoft Windows NT Server Enterprise Edition version 4.0 - Microsoft BackOffice Small Business Server version 4.0 --------------------------------------------------------------------------- SYMPTOMS ======== A program is available on the Internet that allows a local Administrator, with full control of a Windows NT system, to use APIs published in the Win32 software development kit (SDK) for Windows NT to display the contents of security information stored by the Local Security Authority (LSA) in a form called LSA Secrets. LSA Secrets are used to store information such as the passwords for service accounts used to start services under an account other than local System. CAUSE ===== This is by design. Members of the local Administrators groups are trusted users that have the ability to access any information that can also be accessed by the operating system itself. RESOLUTION ========== The updates in the Windows NT 4.0 hotfix provide the following additional protection for the LSA Secret data: - Additional encryption for the LSA Secrets, which provides protection for this information when stored on backup tapes, the Emergency Repair Disk, or other registry backups. For maximum protection, you should also enable the System Key option. For information on System Key (Syskey.exe) functionality, please refer to the following article in the Microsoft Knowledge Base: ARTICLE-ID: Q143475 TITLE : Windows NT System Key Permits Strong Encryption of the SAM - The value of the LSA private data is not returned to remote clients over the network. - Calls to the Win32 APIs will not return LSA private data used for service accounts and other system components to unauthorized applications (non-system components). To resolve this problem in Windows NT 4.0, contact Microsoft Technical Support to obtain the following fix, or wait for the next Windows NT service pack. NOTE: Because this hotfix makes a modification to the on-disk storage of the LSA data information, Microsoft does not recommend that it be uninstalled. This fix should have the following time stamp: 04/22/98 06:05p 51,472 Eventlog.dll (Intel) 04/27/98 12:48p 154,896 Lsasrv.dll (Intel) 04/25/98 07:45p 18,704 Msaudite.dll (Intel) 05/08/98 07:42p 40,208 Msv1_0.dll (Intel) 05/08/98 07:42p 41,744 Samlib.dll (Intel) 05/08/98 07:42p 169,232 Samsrv.dll (Intel) 04/27/98 12:48p 130,832 Services.exe (Intel) 02/04/98 02:20p 84,240 Eventlog.dll (Alpha) 04/15/98 12:37p 253,200 Lsasrv.dll (Alpha) 04/02/98 06:24p 22,800 Msaudite.dll (Alpha) 05/08/98 07:42p 67,344 Msv1_0.dll (Alpha) 05/08/98 07:42p 78,608 Samlib.dll (Alpha) 05/08/98 07:42p 288,528 Samsrv.dll (Alpha) 04/24/98 05:55p 241,936 Services.exe (Alpha) NOTE: This hotfix supersedes the fix referred to in the following articles in the Microsoft Knowledge Base: ARTICLE-ID: Q154087 TITLE : Access Violation in LSASS.EXE Due to Incorrect Buffer Size ARTICLE-ID: Q174205 TITLE : LSASS May Use a Large Amount of Memory on a Domain Controller ARTICLE-ID: Q129457 TITLE : Anonymous Connections May Be Able to Obtain the Password Policy This hotfix has been posted to the following Internet location: NOTE: An updated version of this hotfix was posted on May 19, 1998. ftp://ftp.microsoft.com/bussys/winnt/winnt-public/fixes/usa/NT40/ hotfixes-postSP3/lsa2-fix/ NOTE: The above link is one path; it has been wrapped for readability. STATUS ====== Windows NT 4.0 -------------- Microsoft has released a fully supported hotfix that provides additional protection of sensitive system information stored as LSA secrets. This hotfix has not been fully regression tested and should only be applied to systems determined to be at risk of attack. Please evaluate your system's physical accessibility, network and Internet connectivity, and other factors to determine the degree of risk to your system. If your system is sufficiently at risk, Microsoft recommends you apply this fix. Otherwise, wait for the next Windows NT service pack, which will contain this fix. Please contact Microsoft Technical Support for more information. Windows NT 3.51 --------------- A hotfix for Windows NT 3.51 is not available at this time. Additional query words: 3.51 4.00 security ============================================================================ THE INFORMATION PROVIDED IN THE MICROSOFT KNOWLEDGE BASE IS PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND. MICROSOFT DISCLAIMS ALL WARRANTIES, EITHER EXPRESS OR IMPLIED, INCLUDING THE WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. IN NO EVENT SHALL MICROSOFT CORPORATION OR ITS SUPPLIERS BE LIABLE FOR ANY DAMAGES WHATSOEVER INCLUDING DIRECT, INDIRECT, INCIDENTAL, CONSEQUENTIAL, LOSS OF BUSINESS PROFITS OR SPECIAL DAMAGES, EVEN IF MICROSOFT CORPORATION OR ITS SUPPLIERS HAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. SOME STATES DO NOT ALLOW THE EXCLUSION OR LIMITATION OF LIABILITY FOR CONSEQUENTIAL OR INCIDENTAL DAMAGES SO THE FOREGOING LIMITATION MAY NOT APPLY.