JSI Tip 0289 - Beware of the Trojan horse.

In tip 081, we learned about implementing enhanced password functionality. This technology can be exploited by allowing a Trojan horse version of a password filter to expose passwords in plain text.

The threat:

Workstation: The default permissions allows anyone who is logged on locally or anyone with write access to a share that includes the %Systemroot%System32 directory to place a Trojan horse version of fpnwclnt.dll in that folder. This Trojan horse will be able to intercept all changes in the local Security Account Manager (SAM) database. If the workstation is a member of a domain, changes to the domain password are not trapped by the password filter.

Server: fpnwclnt.dll is installed by default. If a Trojan horse is substituted on the Primary Domain Controller (PDC), it will receive domain password changes in plain text. The default permissions only allow Administrators to logon locally and only Administrators have write access to the %SystemRoot%System32 folder. Password filters on a BDC are not used.

Both: Administrators can add their own DLL to the HKEY_LOCAL_MACHINESYSTEMCurrentControlSetControlLSANotification Packages registry entry to capture passwords.

The Fix:

1. Apply Service Pack 3.

2. Install Windows NT on an NTFS partition.

3. Using Regedt32, edit: HKEY_LOCAL_MACHINESYSTEMCurrentControlSetControlLSA and with Security / Permissions, allow only Administrators and System to have write access.

4. Double click on Notification Packages and insure that only valid password filter packages are listed.

5. If you don't use FPNW (File and Print Services for Netware) and DSMN (Directory Service Manager for Netware), remove the fpnwclnt entry from Notification Packages.

6.If you use FPNW or DSMN, make sure fpnwclnt.dll in the %SystemRoot%System32 folder is the version that ships with Windows NT 4.0 Service Pack 3 (05/01/97, 35,088) and that NTFS permissions only permits access by administrators and the system.

Consider implementing tip 119 to restrict administrator access to the registry.

Note: If FPNW or DSMN is installed in your domain, but not on the PDC, the PDC registry key is used.