NT 4.0 SP7; Win2K Post-SP1 Updates

IAS Authenticates Invalid Accounts. Did you know that anyone who can send an improperly formatted connection request to IAS can log on to your network with invalid credentials? When IAS receives an "unrecognized state attribute" from a network access server (NAS), IAS automatically accepts the access request and gives the specified user network access, even when the request contains a nonexistent user account or a valid user account but an incorrect password. This vulnerability results from a bug in the way the Extensible Authentication Protocol (EAP) handler caches connection data. When the connection endpoints negotiate Microsoft Challenge Handshake Authentication Protocol (MSCHAP), IAS incorrectly assumes that the remote user’s credentials are already cached and skips the authentication of incoming credentials.

I recommend that you call Microsoft Support immediately for the update to close this IAS vulnerability. The update contains one file, lasuserr.dll, with a file release date of February 12. Because Microsoft identified and corrected this problem only weeks before SP2 is scheduled to go public, the update probably won’t be included in SP2. See Microsoft article Q283859 for details.

LSA Memory Leak. LSA leaks memory during a Kerberos change-password request and when the module loads a security package. You might need to restart the computer to restore performance and to reduce the amount of memory lsass.exe consumes. The bug fix contains 16 files with mid-February release dates—although the update for an LSA access violation, which I discuss below, contains some of the same files, but with release dates in November 2000. Microsoft article Q288861 says absolutely nothing about whether the common modules in the memory leak update also include the corrections for the access violation.

Before you download and install either of these patches, I recommend that you call Microsoft Support to clarify the order in which you should install them and to make sure that one doesn't overwrite the other. If we’re lucky, Win2K SP2 will contain a proper combination that eliminates both problems with one set of files. You can download the English version of this update, q288861_w2k_sp2_x86_en.exe, from the Microsoft Web site.

Microsoft has also posted updates for French, German, Italian, Japanese, and Spanish systems on its download page. See Microsoft article Q288861 for other language-specific download locations.

LSA Cripples Post-SP1 Win2K DCs. In an LSA access violation problem, the LSA service might crash a Win2K domain controller (DC) and, in the worst case, prevent it from restarting. This problem can occur when you create many AddressBookContainer objects and the ntdsa.dll file has heap damage. If your system has this problem, you’ll probably see a warning with event ID 1173 in the system log with a source of NTDS General and the description "Internal event: Exception c0000005 has occurred with parameters 757ddeef and 0 (Internal ID 3040442)."

The patch that eliminates this problem, q279093_w2k_sp2_x86_en.exe, contains four files, lsasrv.dll, lsass.exe, ntdsa.dll, and samsrv.dll, with release dates in November 2000. You can download the English update from the Microsoft Web site . See Microsoft article Q279093 for information about downloading updates for other languages. Based on the date of the original correction, I expect that Microsoft will include this fix in SP2.

Win2K SP1 Socket Deadlock. Some Win2K SP1 systems experience a Windows socket problem that places the affected server into a loop that consumes 100 percent of CPU resources. A bug in the socket function call can prevent the socket function from responding to the creation request. When this happens, socket programs become unresponsive and the system hangs. This occurrence must be fairly common because the bug fix for English language systems is available for public download. The sockets fix updates eight modules, including tcpip.sys and wshtcpip.dll. You can get your copy from the Microsoft Web site.